.
For this deployment we will be using PEAP-MS-CHAP v2 as the authentication method between our clients and RADIUS servers. You can read about the difference between the two methods but PEAP-MS-CHAP v2 is the preferred method for its effectiveness and lesser administrative overhead. (EAP-TLS requires you to install user certificates aside from computer certificates as well) Another least known authentication method is EAP-MD5 CHAP but it is lessed widely used in 802.1x deployments.
..
As usual let me outline what is needed for our deployment scenario:- Configure Active Directory for accounts and groups
- Configure a certificate infrastructure for PEAP-MS-CHAP v2
- Configure the RADIUS servers and Policies
- Deploy and configure authenticating switches as AAA clients defined on our RADIUS servers
Configure wired client computers for PEAP-MS-CHAP v2 802.1x authentication
Verify Wired Connections
Before we start I would like to mention that if you are doing this deployment setup, you have to be aware that when doing Dynamic VLAN authentication, your group policies and logon scripts may fail to work if you are performing both Computer and User authentication. The reason I say this is that a Machine doing computer authentication will get an IP address during the bootup process after it has authenticated. Now let us say that you are implementing User authentication as well, if it happens that the user should belong to another VLAN based on your policy, it will trigger a change in VLAN segment during the logon process simultaneously while your logon scripts and GPO are being processed the scripts to fail. Currently this is documented in KB article 935638. http://support.microsoft.com/kb/935638
.
For this reason if you plan to implement Dynamic VLAN with both Computer and User authentication, you should consider investing in a third party supplicant such as Cisco's Secure Client. I will not be dealing with Cisco's Secure Client for this post but once you see how the native MS supplicant is setup you should be able to configure Cisco's Secure Client as well.
.
Configure Active Directory for accounts and groups.
Ok we are assuming that you already have Active Directory already in place in your environment. With this you could already provision your AD security groups containing Computer Accounts and User Accounts that you would wish to group to a particular VLAN.
.
Configure a certificate infrastructure for PEAP-MS-CHAP v2.
Next step is to configure a Certificate Infrastructure, you may opt to use Internal Microsoft Certificate Authority, but I do need to mention that you should select an Enterprise Edition of Windows Server if you are using Cisco's ACS for your deployment, ACS requires a duplication of a V2 certificate template which will only be available on Enterprise Edition of Windows. Read my previous post here. Later I will be providing a listing of related links that you can use to start your deployment.
.
Configure the RADIUS servers.
I will not be dealing with setting up ACS but instead you can read othe guides I will be providing at the end of the article. In this setup we will have ACS as our primary RADIUS server and IAS as the secondary RADIUS server. For IAS, you can proceed with ADD/REMOVE Windows Component on your server and enable the Internet Authentication Service component. Need to note that is recommended to have your RADIUS running on probably one of your Domain Controllers for faster authentication. Once you have IAS running, you would like request for a Server Certificate to support your PEAP infrastructure. Main thing to note is that PEAP only requires a Machine Server Certificate on your IAS server and your authenticating clients only need to have a trusted root certificate of the issuing CA of your RADIUS servers. This simplicity also makes PEAP a favorable choice over EAP-TLS. Ok I have been talking a lot regarding the deployment and now its time for some screenshots.
Ok I have cleared some of the details on the screencap as this represents my actual deployment for one client, two things you need to note is that PEAP certificate field should contain your IAS Server Certificate. If you are using a Domain Controller installed with IAS service, then you will probably have the Domain Controller Certificate already ready to use. This will do as long as the certificate has the Server Authentication key usage attribute. You can check this when you open the certificate and check details tab for the Enhanced Key Usage attribute. For the edit profile tab, the advanced tab is where you configure the policy for Dynamic VLAN. This tells you exactly where to place the machine when it is authenticated. The Tunnel-PVT-Group-ID will actually correspond to your VLAN NAME defined on the switch (case sensitive) and the Tunnel Tag corresponds the VLAN number. After defining our policies we can proceed with configuring the AAA client switches in part2 of our article.
Posts
No comments:
Post a Comment