topic Re: Enable 802.1x on non domain joined users in Network Access Control

Enable 802.1x on non domain joined users

Taro-AB81 — Thu, 11 Jul 2019 02:28:28 GMT

Hi Team,

I have 1000+ users who need 802.1x to be enabled. (Windows, Ubuntu, Mac Os). We have configured the CISCO ISE and wonder is there's any way we can use a batch file to deploy. We can ask user to download and run the batch file.

Have anyone done this before, or how to enable 802.1x on 1000+ users without doing it manually? (Users are not domain connected)

Thanks in advanced.

#ciscoise #802.1x #nac

Re: Enable 802.1x on non domain joined users

Mohammed al Baqari — Thu, 11 Jul 2019 07:10:17 GMT

You need to have a tool to do this. Its not about enabling it but also
getting feedback that it was enabled successfully.

I am sure you will find a powershell script to enable dot1x on endusers
that is the easy part. But making sure that its enabled successfully needs
a desktop management tool otherwise you might break the network
connectivity of the user.

Another option is to use Cisco NAM. With that, you can enable NAM download
on your VPN gateway (ASA) so that once the user connects to anyconnect VPN,
NAM will be downloaded along with XML file which has all the authentication
settings. This is a safer way.

**** remember to rate useful posts

Re: Enable 802.1x on non domain joined users

Mike.Cifelli — Thu, 11 Jul 2019 12:34:32 GMT

To better assist you with some potential ideas can you answer the following:
Are the 1000+ users spread across several external domains or are they a part of one single external domain?
Do you have a point of contact from the external domain/s?
Do the external domain/s have internal PKI?
Have you determined if you plan to use native supplicant or NAM? I think for your scenario you should stay away from NAM since you cannot run it on linux flavors.
As far as the switch configs, are you planning to deploy static interface configs to support 8021x and/or flexauth? Or do you plan to use templates across the board that you can apply to your user interfaces?

Re: Enable 802.1x on non domain joined users

Taro-AB81 — Sun, 21 Jul 2019 15:13:45 GMT

Hi,

Thank you, the issue is im only involved with enabling it on client side. Switches are configured by a separate department. So I wonder is there's a script that can be used for Windows/Ubuntu/Mac OS.

Re: Enable 802.1x on non domain joined users

Taro-AB81 — Sun, 21 Jul 2019 15:15:24 GMT

Hi Mike,

These are not domain connected devices.

Re: Enable 802.1x on non domain joined users

hslai — Sun, 21 Jul 2019 16:04:48 GMT

Many organizations use a MDM to do this. If you consider that, please check with the MDM vendors.

ISE BYOD can help with MS Windows, Apple iOS, and macOS, but not Ubuntu.

If you want to do it yourself...

For Windows, this one looks interesting — Configuring 802.1x Authentication for Windows Deployment - A Square Dozen

For Apple macOS and iOS, create a .mobileconfig file using Apple Configurator or similar tool and then distribute it.

For Ubuntu, see ubuntu - How to automatically apply wpa_supplicant configuration? - Unix & Linux Stack Exchange