You are here
SEC0093 - ACS 5.4 Wired 802.1X PEAP EAP-TLS with Machine Authentication (Part 2)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video shows you how to configure wired 802.1X on Cisco ACS 5.4 using PEAP and EAP-TLS. We will perform both machine and user authentications, and enforce successful machine authentication using Machine Access Restriction (MAR). We will introduces MAR Cache distribution, which is a feature introduced in ACS 5.4. For authentication, we will attempt both using AD login credential (PEAP) and client-based certificate (EAP-TLS).
Part 2 of the video contains authentication testing on our Windows 7 test computer.
Topic:
- ACS Wired 802.1X with PEAP and EAP-TLS
- Machine Access Restriction/Distribution
- Certificate Authentication Profile
- Identity store Sequences
-
Policy Element
- Authorization Profile
- Downloadable ACL
- Service Selection Rule
-
Access Services
- Authentication Policy
- Authorization Policy
- RADIUS Attributes
- Windows 7 Wired 802.1X Network Settings
13 comments
Wired users
Good video like all oder one !!
Wired users
Please i need to know how to implement dot1x on 2 switches (2x48ports) without certificate, but force users to authenticate through AD to have acces to the network ressouces so that no one can get an ip address or access to the network if he has'nt an account.
thanks for your help
Wired users
What you want to accomplish is just a regular PEAP authentication with AD integration. Please refer to Part 1 of this video for configuration.
ACS 5.4 Dynamic Vlan membership
Hi all ,
Please i need to no how can we switch user to it's Vlan based on his logon and password ?
I configured dot1x and i now need to switch alow all users t their vlan whatever the port they use.
thanks for your help
ACS 5.4 Dynamic Vlan membership
Under Authorization profile, there should be an option to configure returned VLAN. If not, you can always use RADIUS attributes below.
ACS 5.4 Dynamic Vlan membership
thanks it's work
But i dont know for witch reason i can't able to see my logs again, i can just see old logs how to itroubleshoot it ?
- the second issue i have is that when i log with account shell profile follow video SEC0086, SEC0087, SEC0088 it's work good but the probem is that i can use whitchever password i just have to type any one or any letter.
- the third issue it to know if i can use both radius and tacacs on same switch ?
thanks
ACS 5.4 Dynamic Vlan membership
1. Double check that logging service is running. Make sure log collector is pointing to local node. If all looksgood, try rebooting the server
2. That is strange. If the password does nto match fully, you should fail authentication.
3. Yes. just configure the network device to support got TACACS and RADIUS.
Identity is going to WIRED-MAB
I have followed this video and the other for MAB. However, whenever I connect my PC it is going to the wired-mab identity instead of the wired-machine and wired-user. Any thoughts on what I need to look at?
Identity is going to WIRED-MAB
Do you have your switch configured to failover to MAB if dot1X fails? If so, check if your supplicant is configured for dot1X and see if you have any failed dot1X authentication. Verify that the switchport runs Dot1x with 'sh auth sess inter' command.
Huawei Router
did anyone try to add Huawei Router as AAA client? does ACS 5.4 support that?
Huawei Router
TACACS or RADIUS? As long as the router supports standard protocol or even require some VSA, you should be able to get it to work as ACS is very flexble on what to return after a successful authentication.
I am trying to configure it
I am trying to configure it using TACACS to configure two groups of administrators with command authorization.
You might want to confim with
You might want to confim with the Huawei support and make sure it is supported. You can check out the video below on the configuration on the ACS side.
http://www.labminutes.com/sec0088_acs_tacacs_shell_privilege_command_aut...