I have a LAN comprised of 10 vlans , from vlan 100 to vlan 110 .
my full lan network is on cisco layer 2 switches trunked to 2 cisco 6500 core switches.
i have successfully installed in cluster mode 2 IC 4500 boxes and from user vlans i can ping them and vice versa .
My scenario is that i want to make sure that all users (they are getting ip from dhcp by default) , must do 802.1.x authentication on ports and only upon success are permitted to go to internet .
My LAN is not very big or complex. !
Also i have some below queries :
1. The kb uses odesey client, can I use junos pulse or a clientless setup for windows users. Most of them are using windows 7 and windows xp ?
2. I have ten vlans working in my bldg. From Vlan 100 to Vlan 110 and I want Vlan 999 to be my quarantine or authfail Vlan. Would it work fine if I have cisco switches at users and my ic is licensed and located in another Vlan connected thru internal port only?
3. Would this dot1x solution of kb mentioned in thread would let ad integration and also run jumps pulse client as single sign on automatically ?
A juniper enthusiast !!!!
Yes you can do dot1x with Junos Pulse installed on Windows 7 and xp machines.
Perhaps Junos pulse does not support all flavors of EAP methods, you can only do EAP-TTLS.
You can have users connected to one vlan and IC on another vlan.
As long as the packet reaches IC (route exists), there should'nt be any problem.
From your query i understnad that you are trying to dot1x. Agentless comes into picture for the case where user have ip address and connectivity to IC.
I get you now. ...so are my following conclusions correct, please endorse with reply to them !!!!
1> 802.1x can be done with junos pulse client with no issues as long as i use eap-ttls !
2> 802.1x will need radius client configuration on switches and radius to configure on IC 4500 cluster IP !
3> For 802.1x i can put full access to all real vlans (access vlans) and create only 1 vlan for quaratine/remediation !
4> i have a single site setup with cisco switches, and i only want to ensure that users should not be allowed to use internet if they are not authenticated on 802.1x ports with their proper USER CREDENTIALS ! "Well, is end-point security setting mandatory, or only authenticatino with 802.1x can work as well "
5> I HAVE no IP Phones or PoE devices, but to bypass 802.1x can i excempt the PRINTERS on ports , or simply not configure those ports with 802.1.x what is ur advice ?
waiting anxiously for reply to my queries.
Your understnading is correct!
And for printers, you could do MAC ( MAC auth bypass) or simply not configure dot1x on switchport as you know.
It is MAB typo' in my earlier response.
And to answer question no '4' .. typically endpoints health check is done apart from USER credentials.
PErhaps it is upto you to leverage the security levels based on your designs.