2007年7月10日 下午 08:56I've heard from countless people that they would like to see a list of 802.1x switches that we have seen working with NAP. My teammate Calvin Choe just blogged our up-to-date list of vendors / switches we have verified. Check it out!
NAP the WORLD in 2007,
NAP Release Manager
*Remove the "online" to actually email me.
** This posting is provided "AS IS" with no warranties, and confers no rights.
2007年10月11日 上午 05:04
Thanks to publish the list of the swtches which can support NAP.
I can understand that all the switches can supposrt NAP for wired connection.
Suppose, If i would like to use wireless connection (Putting a wireless Acsess Point between switch and Vista client).
Do Cisco switch 3560 support for NAP for when packet arrived from wireless Accecc point.
My idea is....
| __________________ |
| | Cicso Switch 3560 | |
| |__________________| |
| | |
| | |
| -------------------------------------- |
| | wireless Access Point | |
| |_____________________| |
| NAP VISTA Client |
Kindly teach me on this scenario.
2007年12月20日 上午 03:35
Yes that will work with VLAN tagging. See my blog for an indication of how this is done with a Cisco switch.
Go to blogs.technet.com/mkleef and click the category "Blogcasts by me". I havent included the wireless bits but the base switch config is what youll need first.
2008年3月18日 下午 02:03
If you want to use NAP over Wireless network. You may need a wireless LAN Controller. Because Wireless Access Points cannot support Dynamic VLAN ing.
2008年11月4日 下午 01:44Hi,
I've search all throuch the internet, but can't find any valuable information about which 802.1x modes NAP exactly supports.
There are several different 802.1x possibility, like:
Also i found somewere that the switch has to support something such as RADIUS tunneling attribute or something? Can't find it anymore :(
But the reason that i ask which 802.1x components NAP require, is that i can search for some low end model, or end of life models, like a Cisco 3600 series, or 2950 series.
Sow what 802.1x components has the switch or AP to support, in order to get NAP working?
thanks in advance.
2008年11月5日 下午 12:43If i'm correct it should support IEEE 802.1x - VLAN Assignment for dynamic VLAN switching under NAP, but basicly the device should accept RADIUS attributes and apply them.
The RADIUS Attributes I used in my research are:
64 (Tunnel Type)
65 (Tunnel Medium Type)
81 (Tunnel Private Group ID)
perhaps some vendors use specific attributes for VLAN assigment, but these standard ones do the trick on my tested equipment
In my research of NAP i found that the following cisco devices "should" support this feature, provided they have a recent IOS to support the feature:
2940 IOS 12.1(22)EA4
2960 IOS 12.2(25)SED
2980 CatOS 8.4GLX
3550 IOS 12.1(14)EA1
3560 IOS 12.2(25)SED
3750 IOS 12.2(25)SED
4000* CatOS 8.4GLX or IOS 12.1(19)EW
4500* CatOS 8.4GLX or IOS 12.1(19)EW
6500 CatOS 7.2 or IOS 12.1(13)E4
* Supervisor II+ or higher
This list is far from complete, these are just devices that are in use in my organisation which i checked for NAP capabilities
2009年1月8日 下午 01:54
Imho your list shows, why so many companies stuck to implement dot1x (aka 802.1x)-based solutions.
Basically you only need the support for 802.1x-authentication using PEAP with MS-ChapV2 or certificate as EAP-Method. Then you can have an "on/off-decision" at the switchport.
Most of the other mentioned functions in your list, which is in fact part of a featurelist for Cisco-IOS-devices, are needed because life is not fair;-)
In a heterogeneous network-setup with multivendor-equipment as network- and systemdevice, you will need more functions, for instance for realising guest-networks fpr non-authenticated devices, additional authentication-methods like MAC-based Auth, failsafe-network-segments for a basic network-functionality in case of troubles with the dot1x-implementation, authentication-based VLAN-switching (if all your clients are able to understand a dynamic ip-address-change) etc etc.
So at the end your total solution design defines which functions your network access devices must have to implement your special solution.
Too complicated? Perhaps think about different enforcement methods like dhcp or inline-filtering-devices like consentry instead of using dot1x or wait for more featurecomplete versions of 802.1x in some years ;-) The last and incomplete revision of the standard is from 2004, which is far away from todays technologies.
2009年5月19日 下午 10:41Hi I got Radius assigned vlan(s) to work on a Cisco Aironet 1231G with firmware 12.3(8)EB. Works great! if anybody needs any help let me know.
2009年7月28日 下午 08:59Hi,
I have got a D-Link DES-3828 which is on your list but I cannot find any option to configure dynamic vlans. The manual does not mention it at all. Do you have a configuration hint for me?
Thanks a lot!
2010年3月8日 下午 02:17It's a year ago you asked if anyone wanted to know how you did this, I've a aironet 1100 and can't work it out. If you still have the instructions for the 1231 can you let me know how you did it please?
2010年3月12日 下午 03:47can you post your config?
2010年3月12日 下午 04:10Post the config for the Radius assigned vlan(s) to work on a Cisco Aironet 1231G is what I meant to say
2010年3月16日 下午 06:43Does using the NAP wizard and the attributes that are referenced in there not work?
Right click the main node of NPS
Click the "configure NAP" link in the right hand box
Answer the questions in the wizard.
In general, the following attributes should work
Tunnel PVT Group ID
Tunnel Assignment ID
Tunnel Medium Type
In my experience, Cisco devices in particular, have problems when you send the Filter-ID attribute along with any of these standard tunnel attributes, so make sure that you are not sending a combination of these, as well as the Filter ID attribute.
Program Manager Windows Server Customer Connection: ** This posting is provided "AS IS" with no warr
2010年3月19日 上午 10:03Thanks, I wasn't aware of the Filter-ID issue.
The authorisation works fine and a NAP compliant client is accepted and placed on the correct vlan.
My real problem was trying to get the aironet to quarantine a non compliant client when told to by the NPS server. I think it's more of a limitation of the the Aironet unfortunately.
The aironet only seems to want to associate one vlan per SSID when I really want two.
2010年4月28日 下午 04:44
I'm using nap to do authentication and vlan assignment but I have a problem.
The authentication works but not the vlan assignement.when the radius accept the connection it sends info to the radius client:
My problem is that even if the right info is sent for the attribute 81 for the to other te radius sends:
Whereas it should send 802 and VLAN as indicated in Network Policies
2010年6月24日 下午 02:39
grope or someone can post aironet configuration to work with radius vlans assignement (NAP my case).