Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
5
Helpful
5
Replies

Enable 802.1x on non domain joined users

Go to solution
Taro-AB81
Level 1
Level 1

‎07-10-2019 07:28 PM

Hi Team,

I have 1000+ users who need 802.1x to be enabled. (Windows, Ubuntu, Mac Os). We have configured the CISCO ISE and wonder is there's any way we can use a batch file to deploy. We can ask user to download and run the batch file.

 

Have anyone done this before, or how to enable 802.1x on 1000+ users without doing it manually? (Users are not domain connected)

 

Thanks in advanced.

#ciscoise #802.1x #nac

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Taro-AB81

‎07-21-2019 09:04 AM

Many organizations use a MDM to do this. If you consider that, please check with the MDM vendors.

ISE BYOD can help with MS Windows, Apple iOS, and macOS, but not Ubuntu.

If you want to do it yourself...

For Windows, this one looks interesting — Configuring 802.1x Authentication for Windows Deployment - A Square Dozen

For Apple macOS and iOS, create a .mobileconfig file using Apple Configurator or similar tool and then distribute it.

For Ubuntu, see ubuntu - How to automatically apply wpa_supplicant configuration? - Unix & Linux Stack Exchange

 

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎07-11-2019 12:10 AM

You need to have a tool to do this. Its not about enabling it but also
getting feedback that it was enabled successfully.

I am sure you will find a powershell script to enable dot1x on endusers
that is the easy part. But making sure that its enabled successfully needs
a desktop management tool otherwise you might break the network
connectivity of the user.

Another option is to use Cisco NAM. With that, you can enable NAM download
on your VPN gateway (ASA) so that once the user connects to anyconnect VPN,
NAM will be downloaded along with XML file which has all the authentication
settings. This is a safer way.

**** remember to rate useful posts

Go to solution
Taro-AB81
Level 1
Level 1
In response to Mohammed al Baqari

‎07-21-2019 08:13 AM

Hi,

Thank you, the issue is im only involved with enabling it on client side. Switches are configured by a separate department. So I wonder is there's a script that can be used for Windows/Ubuntu/Mac OS.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Taro-AB81

‎07-21-2019 09:04 AM

Many organizations use a MDM to do this. If you consider that, please check with the MDM vendors.

ISE BYOD can help with MS Windows, Apple iOS, and macOS, but not Ubuntu.

If you want to do it yourself...

For Windows, this one looks interesting — Configuring 802.1x Authentication for Windows Deployment - A Square Dozen

For Apple macOS and iOS, create a .mobileconfig file using Apple Configurator or similar tool and then distribute it.

For Ubuntu, see ubuntu - How to automatically apply wpa_supplicant configuration? - Unix & Linux Stack Exchange

 

 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-11-2019 05:34 AM

To better assist you with some potential ideas can you answer the following:
Are the 1000+ users spread across several external domains or are they a part of one single external domain?
Do you have a point of contact from the external domain/s?
Do the external domain/s have internal PKI?
Have you determined if you plan to use native supplicant or NAM? I think for your scenario you should stay away from NAM since you cannot run it on linux flavors.
As far as the switch configs, are you planning to deploy static interface configs to support 8021x and/or flexauth? Or do you plan to use templates across the board that you can apply to your user interfaces?
0 Helpful

Go to solution
Taro-AB81
Level 1
Level 1
In response to Mike.Cifelli

‎07-21-2019 08:15 AM

Hi Mike,

These are not domain connected devices.

0 Helpful
Customers Also Viewed These Support Documents