MS NPS dot1x and Cisco Switches

[sc302 Veteran]

Usually use it to quickly see what is going on across the ports when the techs are being less than intelligent.

 

 

I am the only networking guy

[nabz0r Veteran]

Can you post your ISE application status?

show appli status ise

 

Mine this is disabled

TC-NAC Service                         disabled

 

Never good to be the only guy, you will never have a proper vacation. I changed work 4 weeks ago and here we are only 4, in my previous we were in 27 in my team, 9 in the other team and 40 networking consultants.

[sc302 Veteran]

nope don't have it. 

 

Command isn't even available...even ran a sh tech to see if it would find the ise, not even an option.

[nabz0r Veteran]

I mean on your ISE not switch. What is your ISE version? Mine is 2.3

[sc302 Veteran]

lol...would you believe I don't use ISE.

 

Microsoft NPS, like what you were trying to use, and my proxy/webfilter handles the captive portal, like what you were trying to accomplish.

[nabz0r Veteran]

1 minute ago, sc302 said:

lol...would you believe I don't use ISE.

You don't?

[sc302 Veteran]

Just now, nabz0r said:

You don't?

nope haha

[nabz0r Veteran]

Hmm, and I am sitting here thinking you're using ISE and you have kind similar config. What are you using? NPS?

[sc302 Veteran]

Here is the thing...if the computer is joined to the domain it is trusted and can go onto the trusted network(s) either wired or wireless.  It is both controlled by radius....if I disable the computer/take them out of the groups they won't auth. 

 

Yes NPS is what I use. 

 

If it has not been a joined computer it goes into a more secure vlan only giving access to certain servers/applications via rules/ACLs. Think Ipads and other smart devices.

 

 

I do computer based auth instead of user based auth for the simple fact that if a user password expires and they don't change it prior to being forced, they will not be able to auth or get a network connection when they are forced to change it.  Users must be on a network connected to AD for them to change their passwords...

 

You could get around that a few ways but it leaves your AD server(s) open to anyone who connects.  Creating a restricted default vlan that they connect to and creating rules that only allow communication to the AD servers....but if you just did computer auth, that would be good enough as you trust the computers you hand out to users (for the most part anyway).

 

Similar config sure, not exact as yours...

 

 

INternet proxy/web filter handles the captive portal to the internet

NPS handles wired and wireless auth to the network as well as vlan assignment based on AD groups

 

 

 

 

 

[sc302 Veteran]

This is what my NPS site looks like...somethings changed around but you get the idea. 

 

Each NPS server essentially supports a building...buildings have a point to point fiber because they are across the parking lot.  It is easier when making rules up as I don't have to be so granular.  I tried combining multiple "clients" in a rule, but they never successfully auth'd (probably because the rule is an "And" not an "OR" statement, but you can't exactly see it nor is it documented which way it is).

 

 

 

 

[nabz0r Veteran]

Yeah, we use computer based authentication as well for some other reasons. At this time we are gonna go with wired access in ISE and when we are done we'll change focus on wireless though wireless is already uses dot1x (meraki and nps at this time, but will go over to ISE).

 

When I'm done with MAB I'll configure guest access, captive portal for them and when that is done then I can move wireless from nps to ise. This captive portal is not as easy as thought though.

[sc302 Veteran]

I know captive portal is going to be your issue.