new installation

Discussion:

new installation

(too old to reply)

George

2010-02-03 07:48:01 UTC

hello.
i have a 2008 r2 which runs as my AD. recently i have installed the network
policy and access services. now, i have configured the same AD server as a
radius client and one cisco switch as a radius client, the policies have been
configure to allow a specific username that belongs to a specific group. now
when i try to connect to the switch the authentication fails. in the server
event i get the message "The user attempted to use an authentication method
that is not enabled on the matching network policy."
basically what i need to do is for my cisco switches to be able to log in
with my windows credentials.
what am i missing? is there a step by step guide to illustrate how to
implement it?
thank you in advance

James McIllece [MS]

2010-02-09 23:47:28 UTC

Permalink

Post by George
hello.
i have a 2008 r2 which runs as my AD. recently i have installed the
network policy and access services. now, i have configured the same AD
server as a radius client and one cisco switch as a radius client, the
policies have been configure to allow a specific username that belongs
to a specific group. now when i try to connect to the switch the
authentication fails. in the server event i get the message "The user
attempted to use an authentication method that is not enabled on the
matching network policy." basically what i need to do is for my cisco
switches to be able to log in with my windows credentials.
what am i missing? is there a step by step guide to illustrate how to
implement it?
thank you in advance

Hi there --

You can use the "802.1X Authenticated Wired Access Deployment Guide," at
http://technet.microsoft.com/en-us/library/dd348468(WS.10).aspx

Thanks --

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

James McIllece [MS]

2010-02-26 21:30:52 UTC

Permalink

Hi there --

With your described configuration, you don't want to configure the AD/NPS
computer as a RADIUS client -- the NPS server is the RADIUS server. So only
the switch is acting as a RADIUS client to the RADIUS server.

You must choose an authentication method that both client computers and the
NPS server support, and then you must deploy the authentication method. For
example, if you are going to use Protected Extensible Authentication
Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol
version 2 (MS-CHAP v2), or PEAP-MS-CHAP v2, you must deploy a server
certificate on the NPS server from a certification authority that your
client computers trust.

In addition, your switch must support the authentication method you choose.
(If you choose an EAP-based authentication method, you probably need to
enable EAP on the switch, unless it's enabled by default.)

After you have chosen and deployed your authentication method, you must
make sure that you configure network policy in NPS with that method, and
also make sure the policy grants (rather than denies) access.

You can use the following guides to deploy a switch that is both RADIUS and
802.1X-capable with NPS:

802.1X Authenticated Wired Access Design Guide at
http://technet.microsoft.com/en-us/library/dd378864(WS.10).aspx

802.1X Authenticated Wired Access Deployment Guide at
http://technet.microsoft.com/en-us/library/dd348468(WS.10).aspx

Thanks --