Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


necessary of deploy 802.1x in our network LAN

Posted on 2012-08-19
Medium Priority
Last Modified: 2012-08-20
hello Experts
in our network we are using Cisco 3560 as core switch, Cisco 2950 as access switch for users, for more and more unauthorized computer connecting to our network, so company management board ask me to limit unauthorized computer connecting to our LAN. and we have MS Active Directory environment, one is window 2003 domain and the other one is windows 2008 domain, so l have the following question about this topic
1. does Cisco ACS is necessary for 802.1x authentication?
2. does it possible authenticate computer object of AD, not user object?
3. could you give me some links and examples for deploy 802.1x in our LAN on Cisco platform?

thank you
Question by:beardog1113
LVL 28

Accepted Solution

mikebernhardt earned 2000 total points
ID: 38312868
Here is a good starting point on how to configure 802.1x authentication:

802.1x uses RADIUS authentication and Windows 2003 IAS uses RADIUS. IAS allows you to set many policy parameters. But it only supports user authentication, not AD computer objects. But you can get around that a bit in this way if you're willing to take on the additional administrative headache if you don't have too many users. Note that if you have more than 50 users, you will need 2003 Enterprise Edition because the less expensive 2003 Server editions limit you to 50 IAS users anyway:

1. IAS does not permit you to set a policy base on user name, only on the windows group that a user belongs to.  Create a separate group for each user and a separate IAS policy for each user which requires the user to be a member of the specific group.

2. Stop using DHCP and require static addresses for all authorized computers. Now, you can require the client PC to have a specific IP address using the Client-IP-Address parameter in the IAS policy. Add the assigned client IP address to the policy created for that user.

Now in order to be authenticated, an authorized user has to have to correct IP address. If either is incorrect, authentication will fail.

Also, I would make sure that all unused ports on the switches are disabled.
LVL 37

Expert Comment

ID: 38314206
801.1x does NOT require ACS

I would not use static IP addresses, I would use DHCP.

I would consider using certificates for machine based authentication, this is far more secure than using static addresses and simpler to manage.

Author Closing Comment

ID: 38315008

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question