cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13705
Views
5
Helpful
28
Replies

AD join in 802.1X envoronment

jiyoung Kim
Level 1
Level 1

                   Hi, I'm trying to deply 802.1X on AD envorenment.

when the Client gets their PC at first time, they cannot join until they authenticate on 802.1X,

after they change their workgroup to our company's domain, they have to reboot.

when they reboot, they have to login to AD so they can download policy from GPO in Active directory.

at that point, port is not authenticated yet, so client can't download GPO policy.

what's the solution for this situation ? using low impact mode ? anything else ?

28 Replies 28

The ISE profile is based on policy's and is not affecting your GPO's

Did you use a Microsoft NAP/NPS as Authentication Server?
Did you want to Authenticate the Users or the Machines?

Sent from Cisco Technical Support iPad App

I'm Using ISE

and maybe I was not clear about this.

in order to profile, PC has to be on the network,

but, you can't on network before login to PC when is the PC is downloading GPO from AD

From the ISE guide.

Understanding Authorization Policies

Authorization policies are a component of the Cisco ISE network authorization service that allows you to define authorization policies and configure authorization profiles for specific users and groups of users that access your network resources.

Network authorization policies associate rules with specific user and group identities to create the corresponding profiles. Whenever these rules match the configured attributes, the corresponding authorization profile that grants permission is returned by the policy, network access is authorized accordingly.

Authorization policies can contain conditional requirements that combine one or more identity groups using a compound condition that includes authorization checks that can return one or more authorization profiles. In addition, conditional requirements can exist apart from the use of a specific identity group (such as in using the default "Any"). Cisco ISE is an attribute-based policy system, with identity groups being one of the many important attributes.

You are not able to Authorize the System because you didn't have any attributes from the System except the MAC Address of the Network Card.

An Authorization Policy with a lower priority which authorizes the system to communicate with the Servers should work.

I'm not very firm with ISE but it should be possible to authorize the System based on the MAC to join Domain.

There is no possible to authoriza with MAC because NETWORK is NOT USED YET.

you know, when you first boot up, and you have to login GINA. before logging in, there is no way to use ethernet card...

it should be possible with MAB to authorize the system by MAC

then could you tell me the flow of authentication with that ?

blenka
Level 3
Level 3

Please see the link below the information is there for your query.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1096365

When systems resume from sleep; they do not attempt machine authentication; only user authentication.  This is by design on Windows.    In your dot1X profile, what is the machine cache timeout set at?   This can be found on the Advanced tab of the 802.1X Authentication Profile; "Machine Authentication Cache Timeout".    This dictates how long the MAC address is cached in the internal dtabase upon successful machine authentication.  If set too low, you'll likely see improper role assignment due to the machine not authenticating.  

Because these are new laptops, I would also make sure that they are doing both user and machine authentication as well (whether by GPO or manual settings).

As a test, on these same systems, if you restart them, do they get placed in the proper roles?    If they do, then your cache timeout is likely the issue.  If they do not, the system is likely not set to use both machine and user authentication.

I would recommend priming (preparing and joining) the workstations on a non-dot1x service port before sending them to the premises.

However, if you have a non-domain-member PC on a dot1x port, you can still enter the 802.1X credentials manually before joining if user auth is enough. You need to modify Windows 802.1X settings:

Find this very hidden setting and de-select Automatically use my Windows logon name and

password (and domain if any).

The client will pop up a bubble when 802.1X authentication is attempted where you can enter the YOURDOM\username and the password thus passing 802.1X.

kaaftab
Level 4
Level 4

Kindly check the following cisco link for reference as it is covering all the aspect of 802.1x

          http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html

PK Networks
Level 1
Level 1

Did anyone found a final solution for this scenario.... ??

Or first prepare the new PC on non-dot1x port and join to domain....

 

and then convert the port to dot1x was the only solution....?

 

 

 

You have several options here.  Not sure if you are implementing trustsec into your environment or not.  If you are the plan below is subject to change since the process would be different.  However, if you are not using trustsec you could do the following:

Configure all of your ports for dot1x and mab using fallback, order, and priority commands.  Basically saying try dot1x and then fallback to mab for your newly imaged hosts, or new hosts in general.  Within ISE setup your authorization policies with whatever conditions you deem necessary, but include the AD external group mapping so that your domain hosts in specific sec groups get the proper profile result to dump them in your vlan structure accordingly.  Then for your default rule (AKA mab hosts) configure an auth profile result that throws down a dacl.  Within the dacl restrict connectivity only allowing connectivity to services it needs to talk to in order to get GPOs, auto-enrollment, patches, etc.  Inside the auth profile for your default rule do not assign your vlan. Rely on switchport config to assign vlan. Also, add a reauthentication timer 30-60 minutes so that once your new hosts that auth via mab get GPOs, a cert, etc. they are forced to reauth using dot1x.  Without a script there will be some manual intervention within AD to ensure the comp object gets moved to the right sec group. 

 

Hope this general idea better assists you!

Thanks Mike...

 

It makes sense...

 

Yes, we won't be using trustsec in our environment....

 

Btw our access switches our Juniper EX3300, so we will have to see if we can use DACL on it....

 

Plus is there any way to manually add mac addresses or OUI in the endpoint groups with only using Base License ?

 

 

To answer this: Plus is there any way to manually add mac addresses or OUI in the endpoint groups with only using Base License?
Administration->Identity Management->Groups->Endpoint Identity Groups
Create a group and manually add the MACs

You can also manually add a MAC to ISE DB under Context Visibility->Endpoints->Add (+)
This will allow you to pre-stage MACs into endpoint groups before ISE has even seen those MACs.

Then just reference your endpoint groups in your policy conditions as you wish inside of your policy sets.

Base licenses are consumed for basic network access, which includes AAA features, 8021x, radius, trustsec, etc. on a per device basis.

HTH!