NAP 802.1x Enforcement – Switches we’ve tested w/NAP
- I've heard from countless people that they would like to see a list of 802.1x switches that we have seen working with NAP. My teammate Calvin Choe just blogged our up-to-date list of vendors / switches we have verified. Check it out!
http://blogs.technet.com/nap/archive/2007/07/10/nap-802-1x-enforcement-switches-we-ve-tested-w-nap.aspx
NAP the WORLD in 2007,
Jeff Sigman
NAP Release Manager
Jeff.Sigman@online.microsoft.com *
http://blogs.technet.com/nap
*Remove the "online" to actually email me.
** This posting is provided "AS IS" with no warranties, and confers no rights.
Todas las respuestas
Hi Jeff,
Thanks to publish the list of the swtches which can support NAP.
I can understand that all the switches can supposrt NAP for wired connection.
Suppose, If i would like to use wireless connection (Putting a wireless Acsess Point between switch and Vista client).
Do Cisco switch 3560 support for NAP for when packet arrived from wireless Accecc point.
My idea is....
____________________________________
| |
| __________________ |
| | Cicso Switch 3560 | |
| |__________________| |
| | |
| | |
| -------------------------------------- |
| | wireless Access Point | |
| |_____________________| |
|___________________________________|
:
Wireless link
:
_________:______________
| |
| NAP VISTA Client |
| |
|______________________|
Kindly teach me on this scenario.
Regards
Brijesh Shukla
Yes that will work with VLAN tagging. See my blog for an indication of how this is done with a Cisco switch.
Go to blogs.technet.com/mkleef and click the category "Blogcasts by me". I havent included the wireless bits but the base switch config is what youll need first.
Hello ,
If you want to use NAP over Wireless network. You may need a wireless LAN Controller. Because Wireless Access Points cannot support Dynamic VLAN ing.
Regards.
- Hi,
I've search all throuch the internet, but can't find any valuable information about which 802.1x modes NAP exactly supports.
There are several different 802.1x possibility, like:
Also i found somewere that the switch has to support something such as RADIUS tunneling attribute or something? Can't find it anymore :(
But the reason that i ask which 802.1x components NAP require, is that i can search for some low end model, or end of life models, like a Cisco 3600 series, or 2950 series.
Sow what 802.1x components has the switch or AP to support, in order to get NAP working?
thanks in advance. - If i'm correct it should support IEEE 802.1x - VLAN Assignment for dynamic VLAN switching under NAP, but basicly the device should accept RADIUS attributes and apply them.
The RADIUS Attributes I used in my research are:
64 (Tunnel Type)
65 (Tunnel Medium Type)
81 (Tunnel Private Group ID)
perhaps some vendors use specific attributes for VLAN assigment, but these standard ones do the trick on my tested equipment
In my research of NAP i found that the following cisco devices "should" support this feature, provided they have a recent IOS to support the feature:
2940 IOS 12.1(22)EA4
2960 IOS 12.2(25)SED
2980 CatOS 8.4GLX
3550 IOS 12.1(14)EA1
3560 IOS 12.2(25)SED
3750 IOS 12.2(25)SED
4000* CatOS 8.4GLX or IOS 12.1(19)EW
4500* CatOS 8.4GLX or IOS 12.1(19)EW
6500 CatOS 7.2 or IOS 12.1(13)E4
* Supervisor II+ or higher
This list is far from complete, these are just devices that are in use in my organisation which i checked for NAP capabilities Hi Muratir.
Imho your list shows, why so many companies stuck to implement dot1x (aka 802.1x)-based solutions.Basically you only need the support for 802.1x-authentication using PEAP with MS-ChapV2 or certificate as EAP-Method. Then you can have an "on/off-decision" at the switchport.
Most of the other mentioned functions in your list, which is in fact part of a featurelist for Cisco-IOS-devices, are needed because life is not fair;-)
In a heterogeneous network-setup with multivendor-equipment as network- and systemdevice, you will need more functions, for instance for realising guest-networks fpr non-authenticated devices, additional authentication-methods like MAC-based Auth, failsafe-network-segments for a basic network-functionality in case of troubles with the dot1x-implementation, authentication-based VLAN-switching (if all your clients are able to understand a dynamic ip-address-change) etc etc.
So at the end your total solution design defines which functions your network access devices must have to implement your special solution.
Too complicated? Perhaps think about different enforcement methods like dhcp or inline-filtering-devices like consentry instead of using dot1x or wait for more featurecomplete versions of 802.1x in some years ;-) The last and incomplete revision of the standard is from 2004, which is far away from todays technologies.
Best regards
Gerd Schelbert- Hi I got Radius assigned vlan(s) to work on a Cisco Aironet 1231G with firmware 12.3(8)EB. Works great! if anybody needs any help let me know.
- Hi,
I have got a D-Link DES-3828 which is on your list but I cannot find any option to configure dynamic vlans. The manual does not mention it at all. Do you have a configuration hint for me?
Thanks a lot!
