RE: 802.1X authorization

From: Jung, Jin (jin.jung@lmco.com)
Date: Thu Oct 09 2003 - 08:32:24 GMT-3

Cisco have product called URT (User registration Tool),
It uses VMPS as underline protocol, but URT can use NT login or Active
directory to login you in and assign VLANs to that port.

But Cisco is planning on adding this function to new Cisco ACS for windows
with in next 6 month or so.

So you can use DHCP and URT together to assign dynamic VLAN and dynamic IP
address for a user.

URT will keep user to a vlan information, or group to a VLAN.

Jin jung...

-----Original Message-----
From: Darren Ward [mailto:dward@pla.net.au]
Sent: Wednesday, October 08, 2003 11:49 PM
To: kcobean@earthlink.net
Cc: wing_lam@jossynergy.com; ccielab@groupstudy.com
Subject: Re: 802.1X authorization

Cisco has released or is soon to release new 802.1x software (as part of
switch software) that will support dynamic VLAN and setting of the port
interface description via 802.1x, this means you can set custom vendor
attributes in ACS to send back the appropriate vectors.

We met with Cisco to look into using 802.1x and they put this up as on their
roadmap for imminent implementation and that was a few months ago.....

Darren

On Wed, 8 Oct 2003 kcobean@earthlink.net wrote:

> Wing,
> Yes, you can use ACS as the authenticator for 802.1x. As an
additional option since you are talking about MAC ACL's on switch ports, you
might investigate VMPS. This would allow you to define what VLAN a port
goes into based on the MAC address of the connecting device. If the device
isn't registered in the VMPS database, you can drop it into a "fallback
VLAN" that routes to null 0. I think this method is pretty maintenance
intensive on larger networks, but is a flexible and secure option overall.
Keep in mind that there are known problems between the Windows XP 802.1x
client and the cisco 802.1x service on their switches. The installable
Win2K client seemed to work great, though.
>
> Hope this helps,
> Kelly Cobean
>
> -----Original Message-----
> From: wing_lam@jossynergy.com
> Sent: Oct 8, 2003 11:22 PM
> To: ccielab@groupstudy.com
> Subject: 802.1X authorization
>
> Hi,
>
> Just want to ask whether we can perform authorization by 802.1X with
> ACS? What I want to do is to dispatch VLAN maps or MAC access lists to
> certain switch port once a PC is connected. Any other method can
> achieve the same goal?
>
> Thx,
> BBD
> DISCLAIMER:- This email is confidential and intended only for the use
> of the individual or entity named above and may contain information
> that is privileged. If you are not the intended recipient, you are
> notified that any dissemination, distribution or copying of this email
> is strictly prohibited. If you have received this email in error,
> please notify us immediately by return email or telephone and destroy
> the original message. Thank you.
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:59 GMT-3