topic Re: How users able to login to domain in Network Access Control

How users able to login to domain

getaway51 — Mon, 06 May 2019 10:55:07 GMT

Hi,

I was wondering how end-users workstation able to reach ACS. Does it has anything to do with ip helper config in the switches?

802.1X is currently not enable. All policy now control by ISE & ACS. But in the first place, without 802.1x config, how the traffic from all branches can reach AD domain in HQ? Can someone enlighten me?

Re: How users able to login to domain

Mike.Cifelli — Mon, 06 May 2019 13:09:28 GMT

So the IP helper config does not come into play for the 8021x process. The helper will be used to ensure that you can dynamically pull an IP from DHCP. Here is a somewhat brief overview of the 8021x process:

Three main components are used:
1. Supplicant -->port authentication entity seeking network access (workstation)
2. Authenticator-->Network Access Device(switch)
3. Authentication server-->ISE/ACS

EAPoL which is used between your workstation and the switch. Radius is then used between the switch and AAA server. It looks like this:

With that information note that the NAD will manage the communication to your AAA server and the actual workstations will not talk to the AAA server. I hope this clears up the process for you!

Re: How users able to login to domain

getaway51 — Mon, 06 May 2019 14:55:23 GMT

i mean currently no 802.1x. How user able to reach ACS (i.e they login everytime PC boots up)? There is no 802.1X now, i wondering how the process like "login to domain" works?

Re: How users able to login to domain

Mike.Cifelli — Mon, 06 May 2019 15:36:51 GMT

I am not quite sure I am following.

All policy now control by ISE & ACS. But in the first place, without 802.1x config, how the traffic from all branches can reach AD domain in HQ? Can someone enlighten me?

How are you pushing policy if 8021x is not enabled? From a routing perspective you need to ensure your hosts can reach AD.