[c-nsp] 802.1x solution

John Gitau JGitau at Safaricom.co.ke
Tue Nov 15 02:34:22 EST 2005


> My client has built a network with some catalysts 2970 and 
> some APs 1130.
> Now, it's looking for a solution in order to increase 
> "mobility" to its users.
> "Mobility" means not impotant where user's computer is 
> connected - after 802.1x authorisation catalyst/ap gets "port 
> autoconfiguration" (vlan acls etc) Does cisco have a 
> product/solution like this?

I assume you have the radius server running with the necessary users and
groups created. Are you doing machine authentication or user
authentication using the MS supplicant or trying both...? - I have only
worked with the MS supplicant - You also need to decide on an
authentication method. The easiest one to use would be MD-5
authentication. It passes the username in the clear and only does an MD5
hash on the password. The others ie (EAP) - {PEAP}, {EAP-TLS},EAP FAST
are a bit complicated since you need to set up certificates on all the
clients and the radius server. If you are using the Cisco ACS, I have
some notes on how to go about this buried somewhere.

Since you only asked about mobility, I suggest you define the following
attributes on your radius server. They automatically put the users on a
specific VLAN evry time they connect. They can be defined per user or
per group.
[064] Tunnel-Type 
[065] Tunnel-Medium-Type 
[082] Tunnel-Assignment-ID

Another alternative is to create user/group policies on the radius
server and statically assign VLANS on the switch. I think this scales
well especially if you cross a layer 3 device or some routing protocol.
Every time a user gets authenticated, what they can access on the
network is based on the policies defined I think you can use accesslists
(downloadable ACL's) is the proper name.

You can use the following links for furtehr reference.

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns178/c649/ccmig
ration_09186a0080160229.pdf
http://www.enterprisenetworksandservers.com/monthly/art.php/756


**Gitau
Safaricom Ltd.
........................................................................
. 
"If the entire earth, land and water, were covered with computers, 
IPv6 would allow 7x10^23 IP addresses per square meter.  [...]  While it
was not the intention to give every molecule on the surface of the earth
its own IP address, we are not that far off."
	.. Tannenbaum, .Computer.Networks., 3rd Edition
........................................................................
.



More information about the cisco-nsp mailing list