Hi,
Not sure if this is completely what you are looking for. It depends on what you would like to authenticate.
For this example, it will auth the client certificate that has been issued via AD-enrollment.
EX-switch config:
Radius settings:
set access radius-server 10.50.0.68 secret "X"
set access radius-server 10.50.0.68 timeout 5
set access radius-server 10.50.0.68 retry 10
set access radius-server 10.50.0.68 source-address 10.17.0.90
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server 10.50.0.68
Port and 802.1x
set interfaces interface-range User_802_1X_POC member ge-2/0/3
set interfaces interface-range User_802_1X_POC description "Enforce 802.1x machine auth"
set protocols dot1x authenticator authentication-profile-name profile1
set protocols dot1x authenticator interface User_802_1X_POC supplicant multiple
set protocols dot1x authenticator interface User_802_1X_POC retries 2
set protocols dot1x authenticator interface User_802_1X_POC quiet-period 15
set protocols dot1x authenticator interface User_802_1X_POC transmit-period 7
set protocols dot1x authenticator interface User_802_1X_POC reauthentication 7200
set protocols dot1x authenticator interface User_802_1X_POC server-timeout 5
set protocols dot1x authenticator interface User_802_1X_POC maximum-requests 3
set protocols dot1x authenticator interface User_802_1X_POC guest-vlan GUESTVLAN
set protocols dot1x authenticator interface User_802_1X_POC server-reject-vlan GUESTVLAN
set protocols dot1x authenticator interface User_802_1X_POC server-fail use-cache
set protocols dot1x authenticator interface User_802_1X_POC server-fail-voip permit
The radius used is Microsoft NPS on Win2019. The radius will send the user-vlan to the authenticated computer.
Overall details:
Conditions:
NAS Port Type: Ethernet
Machine Groups. DOMAIN\Domain Computers
Extensible auth proto method: Microsoft: Protected EAP (PEAP)
NAS port type: ethernet
Auth method: EAP
Framed-proto: PPP
Service-type: Framed
Encryption: Enabled
...and here is added attributes that should be sent to the switch. These are configured on the radius as well, pre-defined options with custom vlan name (not vlan tag).
Tunnel-Medium-Type: 802
Tunnel-Pvt-Group-ID. MyUserVLAN
Tunnel-type: Virtual LANs (VLAN)
I hope this will help. There is a lot of information out there but not that easy to map everything together for a particular use-case.
//Rob
Original Message:
Sent: 03-20-2022 20:06
From: Unknown User
Subject: Wired 802.1x with Windows Server 2012?
Hi all,
Is there any one here can give some url how to configure Windows server 2012 if i want test it for wired 802.1x? Currently i'm try to replicate as JNCIE-ENT self bundle in my virtual lab. Is it same step if i follow the url below or u have another url that easy and more clear to follow.
http://elder-usr.blogspot.com/2017/04/implementing-8021x-windows-2012r2-cisco.html
Thanks and appreciate any feedback