MS NPS dot1x and Cisco Switches

Recommended Posts

nabz0r    137

A customer of ours wants to implement dot1x and wants to do it with NPS (I've never worked with NPS nor MS products so I tried to make them buy ISE instead but that didn't go well...) anyway, I have some questions and I was wondering if anyone has implemented dot1x with NPS?

 

I have run it in my lab and everything seems to be working fine, but I want to discuss it with someone who has done this.

Share this post


Link to post
Share on other sites
+BudMan    2,939

I do believe sc302 has some experience with this.. Never use NPS, always use freerad or ACS/ICE...

 

What exactly are they wanting to accomplish with dot1x?  What problem are they looking to solve or what scenario are they trying to prevent?  They are wanting to deploy NAP/NAC ?? 

 

ISE would be the way to go in most scenarios wanting to control access to their network  - which is really the whole point of 802.1x 

 

If there issue is the cost of ISE, why not look at https://packetfence.org/

 

Love to point you in the right direction to actually solve the issue at hand vs just talking about NPS as one piece in a larger puzzle.

Share this post


Link to post
Share on other sites
nabz0r    137

There is no problem atm, they just want to prevent and have more control.

 

ISE is my choice as well, but for now they want to use NPS. I actually have never heard of packetfence before though I will download and do some labs with it.

As I said I don't have any issue to solve, just want to discuss and see how other people have implemented wired dot1x. Wireless is already deployed before I start (one week ago).

 

To get to the point, I was wondering how would you deploy MAB, joined domain PC vs non-domain joined PC.

Share this post


Link to post
Share on other sites
nabz0r    137

Ok, now I have a scenario that might be interesting.

 

I want to redirect non-domain joined PC for their initial web access to the captive portal page and then after authentication get internet access via guest VLAN.

If PC is known, then allow access

If PC is unknown, then assign it to guest VLAN

 

@BudMan and @sc302, Is this possible in any way with NPS, Cisco switch, or packetfence? This isn only for wired, as the wireless is working fine with Meraki.

Share this post


Link to post
Share on other sites
+BudMan    2,939

This is a typical NAP/NAC setup.. unknown devices get put into an isolated vlan.. Once they auth then they get put in into the correct vlan..

 

What I would suggest if customers balk at price of ISE... Then look into packetfence - its FREE ;)

 

You could for sure do it with just plain 802.1x setup on the client, etc.  But why not give yourself all the bells and whistle of something like packetfence..  What is going to run your captive portal if you just use NPS?

Share this post


Link to post
Share on other sites
nabz0r    137

Yes, this is NAP/NAC deployment. In my lab PC that is non-domain joined are put into another VLAN and this I could achieve with NPS. My question is can I redirect a PC that is not in the domain to a web page to get guest access after they accept the policy and provide name, etc?

 

The price is not the problem for them, the decision would have to come from higher up so that is the main reason. I looked at packetfence, can I achieve this with it?

I don't have captive portal with NPS for wired, and I don't even know if I can do it with NPS.

Share this post


Link to post
Share on other sites
sc302    1,439

Well the web filter could have a portal for users to sign in with and then gain access once auth’d there.

Not sure why you would bring nps into the mix for web access.

Barracuda has a authorized side and non authorized. I would think you can enable a portal for the non authorized side. ESP if you enable proxy.

Share this post


Link to post
Share on other sites
nabz0r    137

Sorry for the late reply.

 

I don't think it can be don with Cisco 2960x switches, (I've never done it and never seen someone else done this before), are they capable of this?

The reason I brought NPS is that I thought/think captive portal is done there, like ISE. Where should the captive portal should be configured if it is not the NPS then?

Share this post


Link to post
Share on other sites
sc302    1,439

2960x will forward radius request.

 

It doesn’t have a way to forward to a captive portal, that I can see anyway.

 

Nps can authenticate and you can kind of do it the way you want but it is only an authenticator. There is no front end signin portal.

 

If you want to do it based on authentication, won’t really be captive portal, you could create a rule that would allow auth if on a specific ssid, the user belongs to a specific group, then the device can auth on that ssid.

 

Otherwise a third party utility for captive portal would be needed. Or it is done at the web gateway. UniFi can port to a captive portal, but it isn’t radius/nps.

 

You could have a captive portal auth against nps.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.