necessary of deploy 802.1x in our network LAN

Posted on 2012-08-19
Last Modified: 2012-08-20
hello Experts
in our network we are using Cisco 3560 as core switch, Cisco 2950 as access switch for users, for more and more unauthorized computer connecting to our network, so company management board ask me to limit unauthorized computer connecting to our LAN. and we have MS Active Directory environment, one is window 2003 domain and the other one is windows 2008 domain, so l have the following question about this topic
1. does Cisco ACS is necessary for 802.1x authentication?
2. does it possible authenticate computer object of AD, not user object?
3. could you give me some links and examples for deploy 802.1x in our LAN on Cisco platform?

thank you
Question by:beardog1113
    LVL 28

    Accepted Solution

    Here is a good starting point on how to configure 802.1x authentication:

    802.1x uses RADIUS authentication and Windows 2003 IAS uses RADIUS. IAS allows you to set many policy parameters. But it only supports user authentication, not AD computer objects. But you can get around that a bit in this way if you're willing to take on the additional administrative headache if you don't have too many users. Note that if you have more than 50 users, you will need 2003 Enterprise Edition because the less expensive 2003 Server editions limit you to 50 IAS users anyway:

    1. IAS does not permit you to set a policy base on user name, only on the windows group that a user belongs to.  Create a separate group for each user and a separate IAS policy for each user which requires the user to be a member of the specific group.

    2. Stop using DHCP and require static addresses for all authorized computers. Now, you can require the client PC to have a specific IP address using the Client-IP-Address parameter in the IAS policy. Add the assigned client IP address to the policy created for that user.

    Now in order to be authenticated, an authorized user has to have to correct IP address. If either is incorrect, authentication will fail.

    Also, I would make sure that all unused ports on the switches are disabled.
    LVL 36

    Expert Comment

    801.1x does NOT require ACS

    I would not use static IP addresses, I would use DHCP.

    I would consider using certificates for machine based authentication, this is far more secure than using static addresses and simpler to manage.

    Author Closing Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    There are some basic methods for preventing attacks on, hacking of and unauthorized access to a network -- maybe not completely, but up to a certain level. Start with a well-reputed firewall and unified threat management (UTM) system -- a gateway…
    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now