Comments on: 802.1x Integration with Active Directory http://blog.scottlowe.org/2006/12/07/8021x-integration-with-active-directory/ The weblog of an IT pro specializing in virtualization, storage, and servers Mon, 15 Mar 2010 09:19:37 +0000 http://wordpress.org/?v=abc hourly 1 By: nelson http://blog.scottlowe.org/2006/12/07/8021x-integration-with-active-directory/comment-page-1/#comment-46696 nelson Fri, 20 Nov 2009 03:26:44 +0000 http://blog.scottlowe.org/?p=382#comment-46696 Hi, I have a doubt on how 802.1x works, let´s say your radius server is dead or become offline, is it possible to bypass and used normal authentication without 802.1x at switch level, something like if radius server alive then 802.1x else use standard. Otherwise your network become off line (assuming there is no backup for radius) Hi,

I have a doubt on how 802.1x works, let´s say your radius server is dead or become offline, is it possible to bypass and used normal authentication without 802.1x at switch level, something like if radius server alive then 802.1x else use standard. Otherwise your network become off line (assuming there is no backup for radius)

]]> By: Andrew http://blog.scottlowe.org/2006/12/07/8021x-integration-with-active-directory/comment-page-1/#comment-44865 Andrew Fri, 19 Jun 2009 21:40:20 +0000 http://blog.scottlowe.org/?p=382#comment-44865 Hi Scott: Like Jose, I'm trying to get Macs to authenticate wirelessly at startup. Everything I've found to date indicates that it should work. So far I can get it to work by logging on to the local admin account, connecting to the wireless network, then logging off. All bets are off if the laptops (aluminum MacBooks running 10.5.7) are restarted. Has anything changed to allow the supplicant to run at startup? Andrew Hi Scott:
Like Jose, I’m trying to get Macs to authenticate wirelessly at startup. Everything I’ve found to date indicates that it should work. So far I can get it to work by logging on to the local admin account, connecting to the wireless network, then logging off. All bets are off if the laptops (aluminum MacBooks running 10.5.7) are restarted. Has anything changed to allow the supplicant to run at startup?

Andrew

]]> By: capcorne http://blog.scottlowe.org/2006/12/07/8021x-integration-with-active-directory/comment-page-1/#comment-43990 capcorne Thu, 26 Mar 2009 14:50:13 +0000 http://blog.scottlowe.org/?p=382#comment-43990 Hi all, I deployed this in our network. I used IAS, EAP-PEAP and AD integration as well with XP SP3 client. Pay attention, the configuration of XP SP3 for 802.1x is completely diffrent from SP2. I writed all the steps <a href="http://capcorne.wordpress.com/2009/03/25/deploying-8021x-for-lan-access/" rel="nofollow">here</a> Have fun ! Hi all,

I deployed this in our network. I used IAS, EAP-PEAP and AD integration as well with XP SP3 client. Pay attention, the configuration of XP SP3 for 802.1x is completely diffrent from SP2. I writed all the steps here

Have fun !

]]> By: Edward http://blog.scottlowe.org/2006/12/07/8021x-integration-with-active-directory/comment-page-1/#comment-43586 Edward Tue, 10 Feb 2009 00:20:27 +0000 http://blog.scottlowe.org/?p=382#comment-43586 I would like to share my experience for implementing 802.1x on win-XP. Before 802.1x authenticate the applicant(PC), win-XP can not communicate with DC due to switch port was in un-authenticated status. Therefore, user can not be authenticated by AD. I found "Cisco secure service client" provide the function that enable win-XP authenticate by 802.1x then send the login credential to AD for windows authentication. This solve the problem between chicken and egg :=). I would like to share my experience for implementing 802.1x on win-XP.
Before 802.1x authenticate the applicant(PC), win-XP can not communicate with DC due to switch port was in un-authenticated status. Therefore, user can not be authenticated by AD. I found “Cisco secure service client” provide the function that enable win-XP authenticate by 802.1x then send the login credential to AD for windows authentication. This solve the problem between chicken and egg :=).

]]> By: Mike http://blog.scottlowe.org/2006/12/07/8021x-integration-with-active-directory/comment-page-1/#comment-35597 Mike Mon, 18 Feb 2008 07:25:23 +0000 http://blog.scottlowe.org/?p=382#comment-35597 Man... After 4 hours of fighting with AAA and IAS I finally have it working! I'm using a 2950 and a Windows 2003 server. All the configs I read seem to miss the part about enabling reverse password encryption in AD!!! I wanted to comment about connecting with virtual machines. I'm studying for my CCNP BCMSN exam and there is an option that someone might find useful in the book. switch(config-if)#dot1x host-mode mutli-host This allows more than 1 host to be connected on a single switchport. 1 Host authenticates and the others are then allowed to work. Not exactly how I expected it to work but maybe someone will use it. As an example I have my Macbook Pro plugged into FA0/9 of my 2950 switch. I have 802.1x enabled and it authenticates me. Now I fire up XP in vmware with shared networking and its able to communicate without any kind of dot1x authentication. I tested the reverse and it works which I thought was cool. Boot up the Mac and don't set it to authenticate, port stays orange. Then boot up XP and setup dot1x authentication. It will authenticate the switchport and then the mac side networking will start working. Have fun! Man… After 4 hours of fighting with AAA and IAS I finally have it working! I’m using a 2950 and a Windows 2003 server. All the configs I read seem to miss the part about enabling reverse password encryption in AD!!!

I wanted to comment about connecting with virtual machines. I’m studying for my CCNP BCMSN exam and there is an option that someone might find useful in the book.

switch(config-if)#dot1x host-mode mutli-host

This allows more than 1 host to be connected on a single switchport. 1 Host authenticates and the others are then allowed to work. Not exactly how I expected it to work but maybe someone will use it.

As an example I have my Macbook Pro plugged into FA0/9 of my 2950 switch. I have 802.1x enabled and it authenticates me.

Now I fire up XP in vmware with shared networking and its able to communicate without any kind of dot1x authentication.

I tested the reverse and it works which I thought was cool.

Boot up the Mac and don’t set it to authenticate, port stays orange. Then boot up XP and setup dot1x authentication. It will authenticate the switchport and then the mac side networking will start working.

Have fun!

]]> By: slowe http://blog.scottlowe.org/2006/12/07/8021x-integration-with-active-directory/comment-page-1/#comment-35247 slowe Wed, 30 Jan 2008 00:57:32 +0000 http://blog.scottlowe.org/?p=382#comment-35247 Dave, Honestly, I've never tried. I would imagine that it is possible, but as to the difficulty I have no idea. If you manage to make it work, let me know! Dave,

Honestly, I’ve never tried. I would imagine that it is possible, but as to the difficulty I have no idea. If you manage to make it work, let me know!

]]> By: Dav e http://blog.scottlowe.org/2006/12/07/8021x-integration-with-active-directory/comment-page-1/#comment-35246 Dav e Tue, 29 Jan 2008 23:18:32 +0000 http://blog.scottlowe.org/?p=382#comment-35246 Scott, have you been able to get a linux host connect to the MS 802.1x wireless network? I am guessing that if you can get the Mac client to connect, it is possible with linux? Scott, have you been able to get a linux host connect to the MS 802.1x wireless network? I am guessing that if you can get the Mac client to connect, it is possible with linux?

]]> By: slowe http://blog.scottlowe.org/2006/12/07/8021x-integration-with-active-directory/comment-page-1/#comment-34274 slowe Wed, 21 Nov 2007 17:03:30 +0000 http://blog.scottlowe.org/?p=382#comment-34274 Stas, As far as I know, you can't use port-level 802.1x authentication with virtualization because multiple virtual machines share the same physical port--authorizing one virtual machine could potentially authorize all virtual machines on that same port. Stas,

As far as I know, you can’t use port-level 802.1x authentication with virtualization because multiple virtual machines share the same physical port–authorizing one virtual machine could potentially authorize all virtual machines on that same port.

]]> By: stas http://blog.scottlowe.org/2006/12/07/8021x-integration-with-active-directory/comment-page-1/#comment-34273 stas Wed, 21 Nov 2007 16:49:00 +0000 http://blog.scottlowe.org/?p=382#comment-34273 How would I authenticate into corporate wireless network using certificate stored on a virtual Windows XP guest machine? How would I authenticate into corporate wireless network using certificate stored on a virtual Windows XP guest machine?

]]> By: slowe http://blog.scottlowe.org/2006/12/07/8021x-integration-with-active-directory/comment-page-1/#comment-33091 slowe Tue, 21 Aug 2007 15:59:48 +0000 http://blog.scottlowe.org/?p=382#comment-33091 Adam, As far as I know, you'll need to know the port to which the PC is connected. There may be a way to search the switch's MAC address table to find which port that is, but in the end you'll still need to know the port number. Adam,

As far as I know, you’ll need to know the port to which the PC is connected. There may be a way to search the switch’s MAC address table to find which port that is, but in the end you’ll still need to know the port number.

]]>