802.1X EAP authentication in Cisco switches with certificate

Question

I am currently planning to implement 802.1X authentication for all the wired computers at the office where I work at currently.

We have successfully implemented 802.1X authentication with login/password credentials. It authenticates against a RADIUS server. The RADIUS server is a Microsoft IAS.

Alongside the wired network, we have an ARUBA wifi controller which does 802.1X authentication with certificates.

We are wishing to use the same certificates to authenticate wired computers. This just does not seem to work. The problem seems to be at the Cisco switch level. The computer sends the credentials to the switch but the switch just ends the EAP session with an error. The RADIUS server is never contacted.

There my question is the following : do Cisco switches support 802.1X EAP authentication with certificates ? If yes, what are the specifics to this type of setup ?

Thank you in advance for your help,

Antoine

Answer 1

Yes Cisco switches support the functionality you are looking for.

Can you provide more info?

like:

• show run
• show log

(Be careful as it can contain passwords.)

What clients do you use? (some windows versions contains buggy supplicants, but a fix/SP is available)

I am not sure if I can help as I do not use windows on the server side (I use freeradius on linux), but we will see...

Answer 2

We currently are using 3560g and 2950g switches with MS Network Policy Server. I'm the sysadmin rather than the network admin here so Im not exactly sure of the setup details on the cisco side, but we are definately doing 802.1x EAP with certs and Cisco switches.

In order to do this I needed to add each switch as a valid radius client with a shared secret and then create Network Policies in the NPS server. On the NPS side it checks conditions and constraints (cert) to assign a VLAN tag and activate the port.