configure switch 1.1 Global Mode Config t aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius radius-server host 10.1.174.42 radius-server key abc567 (this is must be same with Access Point) dot1x system-auth-control 1.2 Interface Mode 1 For users’ port int f0/x switchport mode access dot1x port-control auto
2 For ACS’ ports int g1/x switchport access vlan 150
2. Configure acs 1. Go to Network Configuration, click on the add entry tab box to add new aaa clients into the ACS 1 To add an access switch: Complete the particulars for the switch. The Key should be similar to the key in the radius-server key xxx command in the access switch. Choose RADIUS (IETF) for Authenticate Using. All other options are left unchecked 2 Example o MY-LAB o 10.1.174.120 o Key abc567 (same as configured in switches) o Authenticate – Radius (IETF) Go to System configuration, service control, restart service 2. Go to Interface Configuration -> RADIUS (IETF) and tick/ check the boxes that show the groups 64, 65 and 81. After doing that, be sure to click on the Submit box. 3. In the External User Databases; · Unknown User Policy: Tick on the Check the following external user databases and select Single log on – ACS (Windows Database) into the Selected Databases box. Click on Submit (already detected) · Database Group Mappings: Click on the Single log on – ACS, click on the New configuration box, select the relevant domain and click on Submit. The Domain Configurations should now show testlab1 *** click YOURDOM(your domain)- add mapping i. Group 1 ii. Add domain users, administrators, domain computer **** submit · Database Configuration: click on the Windows Database, i. Under Dialin Permission, make sure verify… is selected ii. Under Configure Domain List, add available domain to domain list iii. Under MS-CHAP Settings, select all iv. Under Machine Authentication, select Enable PEAP machine authentication 4. Create folder in drive named acs_server_cert 5. In the System Configuration *** acs certificate setup 1 Generate Self-Signed Certificate Certificate subject : cn=dsslab1 Certificate file : d:\acs_server_cert\acs_server_cert.cer Private Key file : d:\acs_server_cert\acs_server_cert.pvk Key length : 1024 bits Digest : SHA Private Key password : 123stop Select install generated certificate, submit *** restart service 6. In the System Configuration -> ACS Certificate Setup -> ACS Certificate Authority Setup; add the following value: CA certificate file : d:\acs_server_cert\acs_server_cert.cer *** restart service In the System Configuration, under Edit Certificate Trust List, select dsslab, click submit, restart service 7. In the System Configuration, under Global Authentication Setup, under PEAP Configuration, select Allow EAP-MSCHAPv2, click submit+restart 1. In the System Configuration, under Logging, under CSV Passed Authentication, select Log to CSV Passed Authentictation report (under logged Attribute, use default) 8. In the Administration Control, add ACS administrators. (for remote login purposes)
3. Configure ad 1. In the Programs -> Administrative Tools -> Active Directory Users and Computers; right-click on the users name. 2. In the Dial-in tab, under the menu Remote Access Permission (Dial-in or VPN), choose Allow access. 3. Double click on the users created in the Active Directory Users and Computers -> Users window and click on the Dial-in option. Choose Allow access for the Remote Access Permission (Dial-in or VPN) 4. Still in the Active Directory Users and Computers page, right-click on the computer name of the user. 5. In the Dial-in tab, under the menu Remote Access Permission (Dial-in or VPN), choose Allow access. 4. configure workstation 1. Go to Local Area Connection properties -> Authentication and tick/ check the checkbox that says Enable IEEE 802.1x authentication for this network and the checkbox that says Authenticate as computer when computer information is available 2. Still in the same window; choose from the drop-down menu Protected EAP (PEAP). Click on the Properties radio button and uncheck the checkbox that states Validate server certificate. Email if you have any question or further guide:fazmi888@gmail.com Labels: ACS integration, aironet, Cisco Access Point Integration with Access Control Server, security, wireless |
