Network Access Control

 View Only
Back to discussions
Expand all | Collapse all

SNAC + IAS + Dynamic VLAN + Cisco Catalyst + 802.1x

  • 1.  SNAC + IAS + Dynamic VLAN + Cisco Catalyst + 802.1x

    Posted Jan 28, 2010 07:12 AM
    There is a a problem with quarantining users in the next scenario: We have a windows 2003 domain controller (with IAS service on it), and a number of users, assigned to role groups (2 groups total in this case). Each group has its own vlan configured on a Cisco Catalyst 2960 TT-L switch. There`s also a separate quarantine vlan. We need to get users assigned to different vlans, according to their group membership, on logon, if they are compliant to HI policy, and to quarantine vlan if they are not. Dynamic VLAN assignment for users works fine, after IAS is configured based on following document: http://www.microsoft.com/downloads/details.aspx?familyid=C9ED3609-49FC-439B-92F4-266B187CAE5A&displaylang=en But a problem is that LAN enforcer doesn`t switch port to quarantine vlan if user is non “HI-compoliant”. The authentication mode for the snac agent on client PC is set to 802.1x. Could you provide some directions for solving this task? Here goes Catalyst config (it`s 12.2(4) IOS version), where VLAN 110 is production VLAN and VLAN 120 is Quarantine VLAN: aaa new-model ! ! aaa authentication dot1x default group radius aaa authorization network default group radius dot1x system-auth-control ! ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ! ! interface FastEthernet0/1 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x violation-mode protect dot1x timeout quiet-period 10 dot1x timeout reauth-period 60 dot1x reauthentication spanning-tree portfast ! interface GigabitEthernet0/1 switchport access vlan 110 switchport mode access ! interface GigabitEthernet0/2 switchport mode trunk ! interface Vlan1 no ip address no ip route-cache shutdown ! interface Vlan110 ip address 192.168.110.2 255.255.255.0 ip helper-address 192.168.110.10 no ip route-cache ! interface Vlan120 no ip address ip helper-address 192.168.110.10 no ip route-cache ! ip default-gateway 192.168.110.1 ip http server ip http secure-server radius-server host 192.168.110.3 auth-port 1812 acct-port 1813 radius-server retransmit 10 radius-server key 123