Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
956
Views
0
Helpful
4
Replies

802.1x Authentntication for Zero Clients??

Go to solution
vanyeh2007
Level 1
Level 1

‎05-06-2019 08:40 AM

I need some ideas and strategies on deploying zero clients to a network with 802.1x authentication. Our network consists of Cisco ISE and Microsoft AD.

1, What do I need to authenticate the machines and users?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-06-2019 09:03 AM

My two cents on your scenario/question:

You need to determine if your zero clients support 8021x. As a fallback you could always simply run mab for the clients and then rely on AD for user authentication. If the clients do not support 8021x and you use the fallback idea you would be pushing policy based strictly on the clients and not your users. IF the clients support 8021x then you will need to then determine what type of protocols they are able to support. That would give you an idea if you can run 8021x and authenticate both the user and comp. If user+comp authentication is your desire most environments I have seen would run eap-chaining, which requires the eap-fast protocol which means you need anyconnect NAM. However, I would be willing to bet that the zero client/s do not support NAM. Anyways, this should be pretty straight forward if the clients do not support 8021x. Good luck and HTH!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-06-2019 09:03 AM

My two cents on your scenario/question:

You need to determine if your zero clients support 8021x. As a fallback you could always simply run mab for the clients and then rely on AD for user authentication. If the clients do not support 8021x and you use the fallback idea you would be pushing policy based strictly on the clients and not your users. IF the clients support 8021x then you will need to then determine what type of protocols they are able to support. That would give you an idea if you can run 8021x and authenticate both the user and comp. If user+comp authentication is your desire most environments I have seen would run eap-chaining, which requires the eap-fast protocol which means you need anyconnect NAM. However, I would be willing to bet that the zero client/s do not support NAM. Anyways, this should be pretty straight forward if the clients do not support 8021x. Good luck and HTH!
0 Helpful

Go to solution
vanyeh2007
Level 1
Level 1

‎05-06-2019 10:49 AM

Zero clients support 802.1x EAP-TLS protocol. It supports machine or user authentication. It does support NAM so EAP-chaining won't work.

1. Can I add these zero clients to a Domain?

2. If answer for question 1 is 'No', then what do I use for zero client machine authentication using 802.1x?

 

 

0 Helpful

Go to solution
Aravind Ravichandran
Level 3
Level 3
In response to vanyeh2007

‎05-07-2019 12:39 AM

yes, you can add zero clients to the domain and can do machine authentication.

1. Create a condition like if machine authentication succeeds,give limited access & redirect to the web portal.

2. In portal verify whether the user is a domain user or not & provide access accordingly.

-Aravind

-Aravind
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to vanyeh2007

‎05-11-2019 09:45 PM

Mike.Cifelli's points are valid.

There appear different zero client solutions so please check with the vendor on their features and limitations.

0 Helpful
Customers Also Viewed These Support Documents