Cisco – How to integrate Windows Server 2008 R2’s NPS with Cisco switches

802.1cisconpswindows-server-2008-r2

I need to evaluate in a lab environment the use of Windows Server 2008 R2's NPS for 802.1x authentication with Cisco Catalyst 3750 switches; the general idea is to only let clients connect to the company network if they can provide valid domain logon credentials, placing them in a restricted VLAN instead if they can't. NAP would also be a bonus, but it can be evaluated later; the main point now is only 802.1x authentication.

Although I have very good knowledge of Windows and Active Directory (on the Microsoft side) and quite good knowledge of Catalyst switches (on the Cisco side), I'm totally new to 802.1x; I'd really like some general guidelines and help here, and some sort of implementation guide would also be very useful.

Best Answer

I posted a copy of my configuration notes to my blog at http://windowshell.wordpress.com/2011/01/04/a-sample-802-1x-configuration-guide/. Hopefully you'll find this useful. Sorry, due to the length of the text, I didn't think it appropriate to post here.

It describes how to configure a nominal Windows domain to use 802.1X with computer certificates and username/password. No NAP, but you would be halfway there. It was tested on Windows 2008 R2 Enterprise servers, Windows XP SP3 and Windows 7 clients, and Cisco 3750 and 2960 switches.

Please let me know if you have any questions and I will try to help you along. 802.1X can be one hairy beast!

Catalyst 6500

Router#show file systems | i nvram|flash
    65536000    32514632     flash     rw   sup-bootflash:
      129004      127128     nvram     rw   const_nvram:
     1964024     1960900     nvram     rw   nvram:
    65536000    32514632     flash     rw   bootflash:
    15990784    15990784     flash     rw   dfc#3-bootflash:
Router#dir const_nvram:
Directory of const_nvram:/

    1  -rw-        1876                    <no date>  vlan.dat

129004 bytes total (127128 bytes free)
Router#dir nvram:
Directory of nvram:/

 1918  -rw-           0                    <no date>  startup-config
 1919  ----           0                    <no date>  private-config
 1920  -rw-           0                    <no date>  underlying-config
    1  ----           4                    <no date>  rf_cold_starts
    2  ----          47                    <no date>  persistent-data
    3  -rw-           0                    <no date>  ifIndex-table

1964024 bytes total (1960900 bytes free)
Router#show ver | i IOS
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICES_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2)
Router#

Catalyst 3560

DAL-EDG-SW01#sh ver | i IOS
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE, RELEASE SOFTWARE (fc2)
DAL-EDG-SW01#show file systems | i nvram|flash
File Systems:

     Size(b)     Free(b)      Type  Flags  Prefixes
*   32514048     8593920     flash     rw   flash:
      524288      488396     nvram     rw   nvram:

DAL-EDG-SW01#
DAL-EDG-SW01#dir nvram:
Directory of nvram:/

  479  -rw-       29740                    <no date>  startup-config
  480  ----        3028                    <no date>  private-config
    1  ----          35                    <no date>  persistent-data
    2  -rw-           0                    <no date>  ifIndex-table
    3  -rw-         598                    <no date>  IOS-Self-Sig#3434.cer

524288 bytes total (488396 bytes free)
DAL-EDG-SW01#dir flash:
Directory of flash:/

    2  -rwx    11190304   Mar 1 1993 12:44:55 -05:00  c3560-ipbasek9-mz.122-53.SE1.bin
    3  -rwx    12677496   Oct 6 2010 20:11:22 -04:00  c3560-ipservicesk9-mz.122-55.SE.bin
    4  -rwx       13336  Feb 28 1993 19:01:18 -05:00  vlan.dat
    6  -rwx        3096  Apr 29 2011 15:21:40 -04:00  multiple-fs
    7  -rwx        3028  Apr 29 2011 15:21:40 -04:00  private-config.text
    8  -rwx       29740  Apr 29 2011 15:21:40 -04:00  config.text

32514048 bytes total (8593920 bytes free)
DAL-EDG-SW01#

Catalyst 3550

TQ-DC5-CORE1#sh file systems | i nvram|flash
*   15998976     7844352     flash     rw   flash:
    15998976     7844352   unknown     rw   zflash:
      393216      377552     nvram     rw   nvram:
TQ-DC5-CORE1#dir flash:
Directory of flash:/

    2  -rwx           5  Mar 13 2011 08:13:56 -04:00  private-config.text
    3  -rwx     8127303  Feb 28 1993 19:18:13 -05:00  c3550-ipservices-mz.122-44.SE6.bin
    4  -rwx         320  Feb 28 1993 19:19:52 -05:00  system_env_vars
    5  -rwx         255  Feb 28 1993 19:34:51 -05:00  info
    6  -rwx         255  Feb 28 1993 19:37:38 -05:00  info.ver
    7  -rwx           0  Feb 28 1993 19:19:52 -05:00  env_vars
   10  -rwx        6736  Oct 29 2010 16:24:23 -04:00  vlan.dat
    9  -rwx        1048  Mar 13 2011 08:13:56 -04:00  multiple-fs
   11  -rwx       14583  Mar 13 2011 08:13:56 -04:00  config.text

15998976 bytes total (7844352 bytes free)
TQ-DC5-CORE1#dir nvram:
Directory of nvram:/

  378  -rw-       14583                    <no date>  startup-config
  379  ----           5                    <no date>  private-config
    1  -rw-           0                    <no date>  ifIndex-table

393216 bytes total (377552 bytes free)
TQ-DC5-CORE1#sh ver | i IOS
Cisco IOS Software, C3550 Software (C3550-IPSERVICES-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)
TQ-DC5-CORE1#

Best Answer

Related Solutions

Cisco – Set up layer 2 vlan between 2 data centres

Cisco Terminology: flash and nvram

Catalyst 6500

Catalyst 3560

Catalyst 3550

Related Topic