1. Home
  2. Cisco Systems
  3. 802.1X Port-Based Authentication

802.1X Port-Based Authentication

I have set this up using both a 2950 and a 3550.

I am having problems getting windows to authenticate the port that client is attached to prior to domain logon.

If I use the funk Odyssey client set to "use windows logon details" and "proir to logon" it works fine.

Basically, I am asking if there is any way to get windows (any version) to authenticate the port before attempting to logon to the machine/domain as the process need to be seamless to the user.

Any help greatfully appreciated !

Drop the ZZZ to reply

Cheers ...

Reply to
z400d3
Loading thread data ...

z400d3 schrieb:

You'll perhaps need a machine account, and authenticate the machine itself before any user logs on. Else your machine is completely disconnected from the network. No means for software distribution or network management.

The machine-only account can be granted different and much more restrictive rights.

A much simpler approach is authenticating the MAC address, because the client doesn't need a 802.1x supplicant at this stage.

Reply to
Uli Link

I have set up an account on the machine which I want windows to use to authenticate the port then the user into the machine. This works for a local machine logon with port authentication, but not for a domain logon.

I had thought of going down this route but it would not meet the requirements.

Thanks for your input !

Drop the ZZZ to reply

Cheers ...

Reply to
z400d3

Perhaps your RADIUS needs only to strip of the domain from usernames.

DOMAIN\user vs. user

Just a guess.

Reply to
Uli Link

You will also need to change

radius-server host 172.16.1.50 auth-port 1645 acct-port 1646 key 7 KEY

to ...

radius-server host 172.16.1.50 auth-port 1812 acct-port 1813 key 7 KEY

Drop the ZZZ to reply

Cheers ...

Reply to
z400d3

Uli,

Do you have any reference on how to authenticate by MAC address using RADIUS

Ive been trying to do this for a long time bt cannot find any examples.

Thanks, Jo

Reply to
Jo

Jo schrieb:

Not really, but I found out a few items that may help you:

A Aironet AP with IOS 12.2(15)JA or later can authenticate MACs.

An entry ! radius-server local user 004096112233 nthash 7

01452427035D515903186B2A4B204747595A207D7C7C7A60677A36234356567378 mac-auth-only ! is created where the password is equal the username. Not really a good secret ;-) The mac-auth-only keyword is the only difference to normal login entries using LEAP.

Other authenticators/NAS send the username with - or : as delimiters and no password or empty passwd at all. Some competitors APs can be configured what delimiter to use.

You have to debug the RADIUS communication to see what your NAS sends and what your RADIUS wants.

Reply to
Uli Link

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.