February 12, 2009

CCIE Security - Wired Dot1x with Cisco Secure ACS

Using dot1x on LAN,
we can authenticate users and put them on their propler VLAN based on username

Note:
Dont forget to put ports in access mode, unless you do not like to see dot1x command :)
> switchport mode access

aaa new-model
!
aaa authentication login NONE none
aaa authentication dot1x default group radius
aaa authorization network default group radius 
! --- dot1x should use "default" method for authentication (it's mandatory)
radius-server host 192.168.218.1 auth-port 1645 acct-port 1646 key CISCO
!
!
dot1x system-auth-control
!
!         
interface FastEthernet0/2
 switchport mode access
 dot1x port-control auto
 spanning-tree portfast
!

On Cisco Secure ACS we can enable option 64,65 and 81 under user properties to put each user under a specific VLAN




Bookmark and Share
Posted by Shawn Zandi (Shafagh) at 5:25 AM
Labels: ,

2 comments:

Anonymous said...

Hi,

I need to get a simple NAC solution in place to ensure only machines with a local certificate issued from our internal PKI can access our network. Can I use Cisco ACS, Cisco switchports to achieve this?

Thanks

August 11, 2011 6:24 AM
Shawn Zandi (Shafagh) said...

Yes, refer to the following document:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml

August 11, 2011 2:32 PM

Post a Comment

Subscribe to: Post Comments (Atom)