Hosts
and users should be authenticated by a Radius Server. According to the user or
machine group, when someone connects, the port on the Switch should be changed
to an internal authorized VLAN. Users / PCs not in an AD security group should
be placed in an "internet only" guest VLAN. .
Radius
Server: MS Server 2008 R2
Client:
MS Windows 7
Switch:
Cisco Catalyst WS-C3560V2-24TS-S
Routing
is done from the Core switch
DHCP
is on a 2008R2 Server
I
have ports on the switch configured as:
interface
FastEthernet0/11
description ports for radius
switchport mode access
switchport voice vlan 800
switchport priority extend trust
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10
0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x timeout reauth-period 60
dot1x reauthentication
dot1x guest-vlan 50
dot1x auth-fail vlan 30
dot1x auth-fail max-attempts 2
spanning-tree portfast
spanning-tree bpduguard enable
end
Your
NPS Server needs to have a certificate trusted by the workstations. This can
mean a certificate you buy, or one from an internal certificate authority that
has been installed as a trusted CA by your workstations.
Checklist:
Configure NPS for 802.1X Authenticating Switch Access
http://technet.microsoft.com/en-us/library/cc732256(v=ws.10).aspx
focusing
on the NPS policy
Use
the 802.1X Wizard to Configure NPS Network Policies
http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
Don't
forget the RADIUS portion of your switch config
aaa
new-model
!
!
aaa
group server radius rad_eap
server name YOURNPSSERVERNAME1
server name YOURNPSSERVERNAME2
!
aaa
authentication dot1x default group rad_eap
aaa
authorization network default group rad_eap local
!
radius-server
attribute 32 include-in-access-req format %h
radius-server
retransmit 2
radius-server
timeout 3
radius-server
deadtime 1
radius-server
key your-shared-key-for NPS-servers
radius-server
vsa send authentication
!
radius
server YOURNPSSERVERNAME1
address ipv4 10.0.0 .10
auth-port 1645 acct-port 1646
!
radius
server YOURNPSSERVERNAME2
address ipv4 10.0.0 .11
auth-port 1645 acct-port 1646
500 WS-C3560X-48T-S
Excellent
没有评论:
发表评论