• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1117
  • Last Modified:

necessary of deploy 802.1x in our network LAN

hello Experts
in our network we are using Cisco 3560 as core switch, Cisco 2950 as access switch for users, for more and more unauthorized computer connecting to our network, so company management board ask me to limit unauthorized computer connecting to our LAN. and we have MS Active Directory environment, one is window 2003 domain and the other one is windows 2008 domain, so l have the following question about this topic
1. does Cisco ACS is necessary for 802.1x authentication?
2. does it possible authenticate computer object of AD, not user object?
3. could you give me some links and examples for deploy 802.1x in our LAN on Cisco platform?

thank you
0
beardog1113
Asked:
beardog1113
1 Solution
 
mikebernhardtCommented:
Here is a good starting point on how to configure 802.1x authentication:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html

802.1x uses RADIUS authentication and Windows 2003 IAS uses RADIUS. IAS allows you to set many policy parameters. But it only supports user authentication, not AD computer objects. But you can get around that a bit in this way if you're willing to take on the additional administrative headache if you don't have too many users. Note that if you have more than 50 users, you will need 2003 Enterprise Edition because the less expensive 2003 Server editions limit you to 50 IAS users anyway:

1. IAS does not permit you to set a policy base on user name, only on the windows group that a user belongs to.  Create a separate group for each user and a separate IAS policy for each user which requires the user to be a member of the specific group.

2. Stop using DHCP and require static addresses for all authorized computers. Now, you can require the client PC to have a specific IP address using the Client-IP-Address parameter in the IAS policy. Add the assigned client IP address to the policy created for that user.

Now in order to be authenticated, an authorized user has to have to correct IP address. If either is incorrect, authentication will fail.

Also, I would make sure that all unused ports on the switches are disabled.
0
 
ArneLoviusCommented:
801.1x does NOT require ACS

I would not use static IP addresses, I would use DHCP.

I would consider using certificates for machine based authentication, this is far more secure than using static addresses and simpler to manage.
0
 
beardog1113Author Commented:
perfect
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now