Solved: 802.1x and widnows domain login

cjrchoi11 · ‎07-27-2004

I want to clarify the 802.1x and windows domain login process. configured EAP-MD5 with CSACS 3.3.1 beta, W2K, 3550 switch.

1) what's first? windows domain login or 802.1x?

2) if domain login first, how can I login through the 802.1x enabled switch port? Do I need login through windows cache before 802.1x?

3) I got the 802.1x authentication prompt before get an IP address from DHCP server. is the 802.1x works at layer2 ?

Thanks,

Darthkim_2 · ‎07-27-2004

1) 802.1x

2) Before you even login, your machine account is authenticated using 802.1x . Once you login, your domain credentials are based to the radius server for authentication. While this occurs, your machine actually logs you in with the cached credentials. If the credentials happen to be expired/disabled, the authentication process will fail and the port will be err-disabled.

3) yes ( I think). The machine won't be able to get an ip, ping, do ANYTHING, until authenticated. Even if the host has a static IP, the port won't pass traffic until it has been authenticated.

Remember that MD5 is the easiest dot1x deployment, but also the most vulnerable (because the credentials are passed using a simple md5 hash). I would definitely recommend using PEAP, EAP-TLS or FAST-LEAP

View solution in original post

Darthkim_2 · ‎07-27-2004

1) 802.1x

2) Before you even login, your machine account is authenticated using 802.1x . Once you login, your domain credentials are based to the radius server for authentication. While this occurs, your machine actually logs you in with the cached credentials. If the credentials happen to be expired/disabled, the authentication process will fail and the port will be err-disabled.

3) yes ( I think). The machine won't be able to get an ip, ping, do ANYTHING, until authenticated. Even if the host has a static IP, the port won't pass traffic until it has been authenticated.

Remember that MD5 is the easiest dot1x deployment, but also the most vulnerable (because the credentials are passed using a simple md5 hash). I would definitely recommend using PEAP, EAP-TLS or FAST-LEAP

cjrchoi11 · ‎07-28-2004

Thanks for your information.

what's first(domain login or 802.1x) in case of W2K power cycle ? I always got the 802.1x prompt after domin login with domain credential.

Thanks,

Darthkim_2 · ‎07-28-2004

You shouldn't get a 802.1x prompt after domain login with domain credentials. All that should be in the background.

After a power cycle, 802.1x should authenticate automatically using the machine account. So even if you don't log in, the 802.1x process should happen in the background.

Once you log in, the authentication process should begin again based on your domain credentials.

whistleblower14 · ‎11-26-2022

hi all,

an old but really interessting question which I´m facing today also during some learning to get a better understanding in regard of how a deployment for 802.1X works in the background and from a user perspective!

What I´d like to ask about point 2) Before you even login, your machine account is authenticated using 802.1x... what does this mean for the configuration on e.g. ISE, the AD and the end-user device in detail? do I´ve to configure MAB on the authenticator and prepare the MAC-Address from the Device as e.g. user in the AD or does this work with a certificate which has to be deployed to the pc/notebook/etc. before and/or can User/PW authentication be stored in the device which can be used?

I appriciate every reply and support that help me understand how does this works in reallife?

thank you in advance!