locked
our L2 switch only support EAP/PEAP/TLS. Is that possible NAP?? RRS feed

  • Question

  •  

    According to the "NAP_802.1X_StepByStep.doc" document, we have to get the 4 computer and 1 L2 switch that supports 802.1x port based authentication and RADIUS tunnel attributes for VLAN assignment

     

    sometimes, I read the "EAP over UDP  or EAP over FAST" ,but our L2 switch can not support that protocol. our L2 switch can support only "EAP/PEAP/TLS"

     

    In this case, Can I demonstrate NAP following the "NAP_802.1X_StepByStep.doc"  with only protocol PEAP/EAP/TLS ?

     

    If NAP can be supported by L2 switch with only EAP/PEAP/TLS, why does it need the EAP over UDP or FAST ?

     

    if NAP cannot work with EAP/PEAP/TLS, Should I change the L2 switch to test "NAP_802.1X_StepByStep.doc" ?

     

     

     

    Tuesday, June 12, 2007 9:44 AM

Answers

  • A1)

    As I mentioned, additional functionalities, such as 'no auth' vLAN assignment, or 'auth failed' vLAN assignment, help your network more easily deal with clients that are not 802.1x capable, or clients that do not have proper credentials (guests).

     

    With the bare support I listed - EAP-via-RADIUS, vLAN assignment by RADIUS - one is able to deal with clients that do 802.1x/EAP with proper credentials only.

     

    A2)

    802.1x provides layer-2-based EAP.

    NAC provides a layer-3-based EAP infrastructure - please consult Cisco's websites/documentation for more details - I only know a small amount about it.

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, June 13, 2007 5:30 PM
  • It's not a matter of 'includes' or 'has a' relationships.

    A switch supports a certain set of functionality.

    If it has enough functionality support, it can support NAP.

    That minimum bar is:

    • must support 802.1x EAP authentication pass-thru to a RADIUS server (NPS, in this case)

    and one of the following:

    • must support assignment of port vLAN based on attributes passed back by the RADIUS server (NPS, in this case)

    or

    • some other method of isolation (port ACLs, port filters) based on attributes passed back by the RADIUS server (again, NPS)

     

    In addition, some switch functionality can make roll-out easier.

    • The ability for the switch to assign a vLAN (or filters, etc) to a client that fails authentication.  (Helps deal with some guest scenarios)
    • The ability for the switch to assign a vLAN (or filters, etc) to a client that is unable to do 802.1x/EAP.  (Helps deal with some guest cases, or cases where clients do not support 802.1x)

     

    Does that clarify?

     

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, June 18, 2007 4:34 PM

All replies

  • I'm not sure I understand all your questions, but I will attempt to clarify-

     

    NAP_802.1X_StepByStep.doc describes how to set up a purely Microsoft NAP 802.1x enforcement environment.

     

    The requirements on the layer 2 switch are that it must support port-based authentication via EAP-passthrough to a RADIUS Server (not just local eap with a switch-based user list), which is NPS in this case .  It would then support whatever EAP methods that the RADIUS server allows, which in this case is PEAP.

     

    The layer 2 switch must also support the assignment of that port to a vLAN via some RADIUS attributes sent back by the NPS.  This is how clients are moved from FullAccess to Restricted and back.

     

    These two basic items would get you minimal NAP 802.1x support - additional nice-to-have features would be the ability to assign a Guest (no auth) vLAN and/or a failed auth vLAN.

     

    If your switch can support these, then you can set up a Microsoft NAP 802.1x PEAP-based enforcement environment with the addition of client and server machines.

     

     

    EAP over UDP is a supplicant methodology made/supported by Cisco - it is an EAP authentication over a layer 3 communication - and you should research it with Cisco if you want to learn more.

    EAP-Fast is another EAP method (just as PEAP is an EAP method) - and again it is made/supported by Cisco, so if you desire more information, you should research it with them.

     

    Most likely, you encountered these two terms when reading about the Microsoft/Cisco joint NAP/CNAC architecture, where we have enabled persons/companies with investments in either Cisco NAC or Microsoft NAP that wish to deploy both the ability to go ahead and deploy both.  Both EAP-Fast and EAP-over-UDP can be used in a joint architecture deployment.

     

    I hope this clarifies some for you!

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, June 12, 2007 7:14 PM
  •  

    Thank you for your answer.

    more quesiton.

     

    Question 1)

    If minimal NAP supports under two basic item, which functionality is not working under two basic item?

    What is the functionality  of  "not minimal" NAP ?

    Is there any document for this?

     

    Question 2)

    I can read the sentence "EAP supplicants that allow the client to send EAP messages over 802.1x "or" UDP " from [Document- Cisco NAC and  Microsoft NAP interoperability Architecture]

    In this sentence, If NAP working under the 802.1x, Why does Cisco use EAP - UDP ??? What Am I missing ?

     

     

     

     

     

     

     

     

     

    Wednesday, June 13, 2007 12:33 AM
  • A1)

    As I mentioned, additional functionalities, such as 'no auth' vLAN assignment, or 'auth failed' vLAN assignment, help your network more easily deal with clients that are not 802.1x capable, or clients that do not have proper credentials (guests).

     

    With the bare support I listed - EAP-via-RADIUS, vLAN assignment by RADIUS - one is able to deal with clients that do 802.1x/EAP with proper credentials only.

     

    A2)

    802.1x provides layer-2-based EAP.

    NAC provides a layer-3-based EAP infrastructure - please consult Cisco's websites/documentation for more details - I only know a small amount about it.

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, June 13, 2007 5:30 PM
  •  

    sorry , I don't understand "no auth vlan"

    802.1X is available on vlan network or some network, and can be configured to authenticate hosts which are equipped with supplicant software,

    sometimes, 802.1x is available on "vlan"

     

    but , as your comment, Is  NAP  not working on "no auth " vlan?

     

    I confused...that

    NAP includes 802.1x  and  802.1x includes auth vlan  .  but NAP not includes "auth vlan" ????

     

    A includes B

    B includes C

     

    but A not includes C ????

     

    What 's mean "no auth vlan" ?????????

     

    Sunday, June 17, 2007 4:05 AM
  • It's not a matter of 'includes' or 'has a' relationships.

    A switch supports a certain set of functionality.

    If it has enough functionality support, it can support NAP.

    That minimum bar is:

    • must support 802.1x EAP authentication pass-thru to a RADIUS server (NPS, in this case)

    and one of the following:

    • must support assignment of port vLAN based on attributes passed back by the RADIUS server (NPS, in this case)

    or

    • some other method of isolation (port ACLs, port filters) based on attributes passed back by the RADIUS server (again, NPS)

     

    In addition, some switch functionality can make roll-out easier.

    • The ability for the switch to assign a vLAN (or filters, etc) to a client that fails authentication.  (Helps deal with some guest scenarios)
    • The ability for the switch to assign a vLAN (or filters, etc) to a client that is unable to do 802.1x/EAP.  (Helps deal with some guest cases, or cases where clients do not support 802.1x)

     

    Does that clarify?

     

     

    -Chris

    Chris.Edson@online.microsoft.com *

    SDET, Network Access Protection

    * Remove the "online" make the address valid.

    ** This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, June 18, 2007 4:34 PM