View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0093 - ACS 5.4 Wired 802.1X PEAP EAP-TLS with Machine Authentication (Part 2)

SEC0093 - ACS 5.4 Wired 802.1X PEAP EAP-TLS with Machine Authentication (Part 2)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security
The video shows you how to configure wired 802.1X on Cisco ACS 5.4 using PEAP and EAP-TLS. We will perform both machine and user authentications, and enforce successful machine authentication using Machine Access Restriction (MAR). We will introduces MAR Cache distribution, which is a feature introduced in ACS 5.4. For authentication, we will attempt both using AD login credential (PEAP) and client-based certificate (EAP-TLS).
Part 2 of the video contains authentication testing on our Windows 7 test computer.
Topic:
  • ACS Wired 802.1X with PEAP and EAP-TLS
  • Machine Access Restriction/Distribution
  • Certificate Authentication Profile
  • Identity store Sequences
  • Policy Element
    • Authorization Profile
  • Downloadable ACL
  • Service Selection Rule
  • Access Services
    • Authentication Policy
    • Authorization Policy
    • RADIUS Attributes
  • Windows 7 Wired 802.1X Network Settings
Tag: 
acs
802.1x
peap
eap-tls
wired
radius

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

13 comments

Submitted by macfrist on Fri, 08/02/2013 - 04:51

Good video like all oder one !!

Submitted by macfrist on Fri, 08/02/2013 - 04:56

Please i need to know how to implement dot1x on 2 switches (2x48ports) without certificate, but force users to authenticate through AD to have acces to the network ressouces so that no one can get an ip address or access to the network if he has'nt an account.
thanks for your help

Submitted by admin on Fri, 08/02/2013 - 23:43

What you want to accomplish is just a regular PEAP authentication with AD integration. Please refer to Part 1 of this video for configuration. 

Submitted by macfrist on Fri, 08/23/2013 - 00:15

Hi all ,

Please i need to no how can we switch user to it's Vlan based on his logon and password ?

I configured dot1x and i now need to switch alow all users t their vlan whatever the port they use.

thanks for your help

Submitted by admin on Fri, 08/23/2013 - 00:36

Under Authorization profile, there should be an option to configure returned VLAN. If not, you can always use RADIUS attributes below.

  • IETF 64 (Tunnel Type)—Set this to VLAN.
  • IETF 65 (Tunnel Medium Type)—Set this to 802
  • IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
Submitted by macfrist on Sun, 08/25/2013 - 07:28

thanks it's work
But i dont know for witch reason i can't able to see my logs again, i can just see old logs how to itroubleshoot it ?

- the second issue i have is that when i log with account shell profile follow video SEC0086, SEC0087, SEC0088 it's work good but the probem is that i can use whitchever password i just have to type any one or any letter.

- the third issue it to know if i can use both radius and tacacs on same switch ?

thanks

Submitted by admin on Thu, 08/29/2013 - 18:34

1. Double check that logging service is running. Make sure log collector is pointing to local node. If all looksgood, try rebooting the server
2. That is strange. If the password does nto match fully, you should fail authentication. 
3. Yes. just configure the network device to support got TACACS and RADIUS.

Submitted by palermo9 on Wed, 02/19/2014 - 08:28

I have followed this video and the other for MAB. However, whenever I connect my PC it is going to the wired-mab identity instead of the wired-machine and wired-user. Any thoughts on what I need to look at?

Submitted by admin on Thu, 02/20/2014 - 17:01

Do you have your switch configured to failover to MAB if dot1X fails? If so, check if your supplicant is configured for dot1X and see if you have any failed dot1X authentication. Verify that the switchport runs Dot1x with 'sh auth sess inter' command.

Submitted by techuser123 on Thu, 08/07/2014 - 05:52

did anyone try to add Huawei Router as AAA client? does ACS 5.4 support that?

Submitted by admin on Thu, 08/07/2014 - 17:03

TACACS or RADIUS? As long as the router supports standard protocol or even require some VSA, you should be able to get it to work as ACS is very flexble on what to return after a successful authentication.

Submitted by techuser123 on Fri, 08/08/2014 - 09:20

I am trying to configure it using TACACS to configure two groups of administrators with command authorization.

Submitted by admin on Sat, 08/09/2014 - 21:53

You might want to confim with the Huawei support and make sure it is supported. You can check out the video below on the configuration on the ACS side.

http://www.labminutes.com/sec0088_acs_tacacs_shell_privilege_command_aut...