Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

802.1X authentication with Cisco Switch and IAS

Status
Not open for further replies.
AJ1982

AJ1982

Technical User
Joined
Jun 13, 2001
Messages
644
Location
GB
Hi,

Ive been reading up on 802.1X authentication and would like to know the following...

Our lab network has a list of "fixed" PC's which we would like to go into one VLAN, sometimes people bring in their own laptops, which we would like to go into another VLAN.

Can we acheive this, and more importantly is there any guide for setting up the ISA server.

Thanks for all your help.

Andrew J

===

Fatman Superstar (Andrew James)

CCNA, CCAI
 
Sort by date Sort by votes
Hi there,

I'm at the same point as you at the moment I think.
Generally your plan should be possible. If you are using cisco switches and some kind of radius authentication, the authentication server (in my case probably a radius server) can assign vlan's to different clients:
So the only thing you need to do is to define which user will get into which vlan.

bye,
busche
 
Upvote 0 Downvote
Thanks, ive read some stuff that you can only acheive the 802.1x authe with XP, but surely it stems off the MAC from what the switch says, so is there a relevance on the OS?

Cheers for your help. If anyones got guides would be great on config for the IAS.

Cheers

AJ

===

Fatman Superstar (Andrew James)

CCNA, CCAI
 
Upvote 0 Downvote
There is a relevance of the OS because in 802.1x authentication the supplicant/client/user is the client of the authentication. For example if you use radius authentication the supplicant is the client and needs an installed radius client. The switch(authenticator) only forwards the messages during authentication. As far as I know 802.1x can be done with XP or with w2K but only with service pack 4. I think there will be support coming/maybe already there for other OS too. Another important thing is that the support of the OS depends on which authentication method like peap/eap-tls... you use.

bye busche
 
Upvote 0 Downvote
i think you can use DHCP snooping option (81? or something) support on cisco switches to locate clients in the appropriate vlan dynamically.

this is how cisco security aware network works.

check out cisco site for dhcp snooping capability
 
Upvote 0 Downvote
dhcp snooping option 82 is what i was thinking of
 
Upvote 0 Downvote
does dhcp snooping option have anything to do with 802.1x or is it a total different topic?

Thank's,
busche
 
Upvote 0 Downvote
dhcp snooping uses 802.1x and dynamic vlan assignment to assign users to vlans based on login information. i think. i will get information from cisco and post.
 
Upvote 0 Downvote
My bad. I am thinkgin of something else. Regard the snooping information. Here is what cisco says about basic snooping however.

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.


--------------------------------------------------------------------------------
Note In order to enable DHCP snooping on a VLAN, you must enable DHCP snooping on the switch.

--------------------------------------------------------------------------------

You can configure DHCP snooping for switches and VLANs. When you enable DHCP snooping on a switch, the interface acts as a Layer 2 bridge, intercepting and safeguarding DHCP messages going to a Layer 2 VLAN. When you enable DHCP snooping on a VLAN, the switch acts as a Layer 2 bridge within a VLAN domain.

 
Upvote 0 Downvote
Thx for the information lui3.
So let me try if I understood this right.
DHCP snooping is something you can assign to a special VLAN that has already been assigned to a so called "untrusted" port to prevent your network from attacks through this port...
 
Upvote 0 Downvote
i believe it is a rogue DHCP server attack mitigation technique. i have seen other uses for it as well. hence my comment on option 82. option 82 is used by ISP to keep too many hosts on a hub or network from getting too many ip addresses.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
559
CPM86
CPM86
Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
322
Blackybear
Blackybear
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
798
madwok
madwok
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
403
badwolf1686
B
pbxcomm
  • Locked
  • Question Question
CISCO VG450
Replies
1
Views
812
nt8d09
nt8d09

Part and Inventory Search

Sponsor

Back
Top