Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

802.1x solution

  

 
Cisco nsp RSS feed   Index | Next | Previous | View Threaded


mt at primats

Nov 9, 2005, 9:01 AM

Post #1 of 4 (110 views)
Permalink
802.1x solution
My client has built a network with some catalysts 2970 and some APs 1130.
Now, it's looking for a solution in order to increase "mobility" to its users.
"Mobility" means not impotant where user's computer is connected - after
802.1x authorisation catalyst/ap gets "port autoconfiguration" (vlan acls etc)
Does cisco have a product/solution like this?

--
Maxim Tuliuk
WWW: http://primats.org.ua/~mt/
ICQ: 21134222

The bike is absolute freedom of moving
_______________________________________________
cisco-nsp mailing list cisco-nsp[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Lists at Hojmark

Nov 9, 2005, 11:01 AM

Post #2 of 4 (106 views)
Permalink
RE: 802.1x solution [In reply to]
> My client has built a network with some catalysts 2970 and
> some APs 1130.
> Now, it's looking for a solution in order to increase
> "mobility" to its users. "Mobility" means not impotant where
> user's computer is connected - after 802.1x authorisation
> catalyst/ap gets "port autoconfiguration" (vlan acls etc)
> Does cisco have a product/solution like this?

Yes...

The 802.1x feature list is quite long on the 2970 and includes
VLAN assignment, per-user ACLs, guest and restricted VLAN etc.

However, you should plan on doing quite a lot of testing, as the
technology is still somewhat young. For example, guess what will
happen, if you use user-based VLAN assignment with Windows? Well,
even simple stuff like logon scripts will fail. There are tons of
other problems, including all the devices that simply don't do
802.1x.

-A


_______________________________________________
cisco-nsp mailing list cisco-nsp[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


JGitau at Safaricom

Nov 13, 2005, 10:44 PM

Post #3 of 4 (103 views)
Permalink
RE: 802.1x solution [In reply to]
> > My client has built a network with some catalysts 2970 and some APs
> > 1130.
> > Now, it's looking for a solution in order to increase "mobility" to
> > its users. "Mobility" means not impotant where user's computer is
> > connected - after 802.1x authorisation catalyst/ap gets "port
> > autoconfiguration" (vlan acls etc) Does cisco have a
> product/solution
> > like this?

Did you get a solution for this problem? The truth is the features are
pretty new but doable. If you still need some help let me know, I have
had the opportunity to play around with 802.1x over the past few months
on wired and wireless networks, I might have a few pointers.

**Gitau

_______________________________________________
cisco-nsp mailing list cisco-nsp[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


JGitau at Safaricom

Nov 14, 2005, 11:34 PM

Post #4 of 4 (102 views)
Permalink
RE: 802.1x solution [In reply to]
> My client has built a network with some catalysts 2970 and
> some APs 1130.
> Now, it's looking for a solution in order to increase
> "mobility" to its users.
> "Mobility" means not impotant where user's computer is
> connected - after 802.1x authorisation catalyst/ap gets "port
> autoconfiguration" (vlan acls etc) Does cisco have a
> product/solution like this?

I assume you have the radius server running with the necessary users and
groups created. Are you doing machine authentication or user
authentication using the MS supplicant or trying both...? - I have only
worked with the MS supplicant - You also need to decide on an
authentication method. The easiest one to use would be MD-5
authentication. It passes the username in the clear and only does an MD5
hash on the password. The others ie (EAP) - {PEAP}, {EAP-TLS},EAP FAST
are a bit complicated since you need to set up certificates on all the
clients and the radius server. If you are using the Cisco ACS, I have
some notes on how to go about this buried somewhere.

Since you only asked about mobility, I suggest you define the following
attributes on your radius server. They automatically put the users on a
specific VLAN evry time they connect. They can be defined per user or
per group.
[064] Tunnel-Type
[065] Tunnel-Medium-Type
[082] Tunnel-Assignment-ID

Another alternative is to create user/group policies on the radius
server and statically assign VLANS on the switch. I think this scales
well especially if you cross a layer 3 device or some routing protocol.
Every time a user gets authenticated, what they can access on the
network is based on the policies defined I think you can use accesslists
(downloadable ACL's) is the proper name.

You can use the following links for furtehr reference.

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns178/c649/ccmig
ration_09186a0080160229.pdf
http://www.enterprisenetworksandservers.com/monthly/art.php/756


**Gitau
Safaricom Ltd.
........................................................................
.
"If the entire earth, land and water, were covered with computers,
IPv6 would allow 7x10^23 IP addresses per square meter. [...] While it
was not the intention to give every molecule on the surface of the earth
its own IP address, we are not that far off."
.. Tannenbaum, .Computer.Networks., 3rd Edition
........................................................................
.

_______________________________________________
cisco-nsp mailing list cisco-nsp[at]puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.