802.1X configuration for Laptops

MikeMoss · ‎10-18-2023

I've tried searching for this, but have not found an answer yet - ill keep looking after i write this.

Currently - we are using AnyConnect v5 as our supplicant. Our workstations are all laptops (mostly Dell, but some others thrown in the mix). Everyone also has a laptop and/or USB > Ethernet Adapter.

Our goal is we would like to remove AC from environment completly and switch over to using Windows native supplicant. - I got this working and can authenticate against ISE without AC using TEAP EAP Chaining. But this was only 1 machine.

Our problem is after i configured the TEAP settings on MY network Adapter "Ethernet 5", if i unplug from my dock, walk to a conference room and plug in then now im using "Ethernet 3" and all my 802.1X settings are back to default. I understand why that happens - but how can we (is there even a way??) to deploy these 802 settings to 500 laptops successfully without knowing what ethernet # they will end up having / can change at any time? Is there a way to configure these 802 settings 'globally' so it applies to ANY ethernet adapter or does it have to be individually?

We have 500 laptops and they at any given time may be using a dock or USB adapter, etc. If they are on wireless (not connected to wired), then they dont have a ethernet adapter at all until they connect wired.

So far it seems there is no 'great' way to do this and AC is the best choice - but we are really trying to see if we can do without it.

MikeMoss · ‎10-18-2023

This should have said "Everyone has a laptop, DOCK and/or USB to Ethernet Adapter"

Rodrigo Diaz · ‎10-18-2023

Hi @MikeMoss,

When it comes to the Anyconnect/Secure Client supplicant, we have that the supplicant will be applied in the adapters which have the checkbox enabled "Cisco Network Access Manager Filter Driver" enabled, this can be reviewed in the menu Control Panel > Network and Internet > Network Connections, select the adapter and then properties to see that option, the adapters that don't have this option will be using the default 802.1x settings that you configured for native supplicant.

Network Access Manager manages user and device identity and the network access protocols required for secure access. It works intelligently to prevent end-users from making connections that violate administrator-defined policies. you can configure the settings of the authentication that you might require using AC supplicant using the Profile Editor and then push that xml in all the devices that might require to have authentication settings for NAM.

For your reference:

Cisco Secure Client At-a-Glance

Configure EAP profiles and settings in Windows

Configure Network Access Manager

Let me know if that helped you.

MikeMoss · ‎10-19-2023

@Rodrigo Diaz OK. I am either misunderstanding your reply OR your trying to explain something thats the exact opposite of what i want. My original post stated

"Our goal is we would like to remove AC from environment completely".

Your response is talking more about using AnyConnect - which we are already doing. The goal here is to continue using dot1x, but WITHOUT AnyConnect. Please re-read my post to understand fully.

Again, if its ME that's not understanding your reply - then please clarify.

MikeMoss · ‎11-27-2023

I resolved this issue on my own and was able to sucesfully deploy settings using MS Intune. This applied the 802.1X authentication settings to all NICs, whether they existed or not.