Netlogin Script for Authenticated VLAN
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:52 PM
Create Date: Apr 11 2012 8:07AM
Hi There,
I'm trying to implement wired 802.1x on our network. Having tested this briefly and got it to work its not the way I'd like it to be.
Were using a 2008 NPS Server as our Radius Box, a default connection policy is setup and a network policy is also setup. The network policy is set so that this determines which VLAN authenticated clients have access to (Using the VSAs etc). However in our environment we have numerous VLANs and it would seem that a policy is needed for every VLAN?(VSA?) Not to mention the amount of authenticators (Switches)we have, which you cant specify what points to what network policy etc.
This seems quite a bit of work and time to implement plus a potential nightmare to upkeep. I'd rather the Radius Server didnt determine the authenticated vlan but the switch(authenticators) themselves did, and I would assume I would need some sort of script to do this?
Does anyone else have experience of this issue? Or is there a completely different and easier way to do this?
Thanks in advance
Ian
(from Ian_Broadway)
Hi There,
I'm trying to implement wired 802.1x on our network. Having tested this briefly and got it to work its not the way I'd like it to be.
Were using a 2008 NPS Server as our Radius Box, a default connection policy is setup and a network policy is also setup. The network policy is set so that this determines which VLAN authenticated clients have access to (Using the VSAs etc). However in our environment we have numerous VLANs and it would seem that a policy is needed for every VLAN?(VSA?) Not to mention the amount of authenticators (Switches)we have, which you cant specify what points to what network policy etc.
This seems quite a bit of work and time to implement plus a potential nightmare to upkeep. I'd rather the Radius Server didnt determine the authenticated vlan but the switch(authenticators) themselves did, and I would assume I would need some sort of script to do this?
Does anyone else have experience of this issue? Or is there a completely different and easier way to do this?
Thanks in advance
Ian
(from Ian_Broadway)
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:52 PM
Create Date: Apr 19 2012 7:40AM
Your match condition for all request into the NPS should not be complicated.
(from john_padilla)
Your match condition for all request into the NPS should not be complicated.
- Set all your switches with the same VLAN names. (The 802.1Q tags can be different) You will have to add the authenticators as clients in the NPS server. Use a common name like extremeSwitch1, extremeSwitch2, etc... Have your first match conditon in the "Connection Request Policy" be Client Friendly Name = extreme* Have all the rest of your specific policies in the "Network Policies" section. Do not have the "Connection Request Policies" overwrite. Best Match condtions for "Network Policies" is the Windows Groups. You shouldn't need any other match condition. Even for MAC auth... Create each policy with the specific EAP Method, Authentication Method, and Vendor-Specific [list=1] Vendor-Specific = Netlogin-Extended-VLAN(211) = Udata,Tvoice [list=1] Where U = Untagged, T = Tagged, and data or voice = vlan name
- Domain Employees Domain Computers (For this policy to work correctly, set your reauth timer for 802.1X to 0) MAC Authentication
- Authentication Type:PEAP EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Vendor-Specific = Udata
(from john_padilla)
