cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10917
Views
5
Helpful
28
Replies

AD join in 802.1X envoronment

jiyoung Kim
Level 1
Level 1

                   Hi, I'm trying to deply 802.1X on AD envorenment.

when the Client gets their PC at first time, they cannot join until they authenticate on 802.1X,

after they change their workgroup to our company's domain, they have to reboot.

when they reboot, they have to login to AD so they can download policy from GPO in Active directory.

at that point, port is not authenticated yet, so client can't download GPO policy.

what's the solution for this situation ? using low impact mode ? anything else ?

1 Accepted Solution

Accepted Solutions

You have several options here.  Not sure if you are implementing trustsec into your environment or not.  If you are the plan below is subject to change since the process would be different.  However, if you are not using trustsec you could do the following:

Configure all of your ports for dot1x and mab using fallback, order, and priority commands.  Basically saying try dot1x and then fallback to mab for your newly imaged hosts, or new hosts in general.  Within ISE setup your authorization policies with whatever conditions you deem necessary, but include the AD external group mapping so that your domain hosts in specific sec groups get the proper profile result to dump them in your vlan structure accordingly.  Then for your default rule (AKA mab hosts) configure an auth profile result that throws down a dacl.  Within the dacl restrict connectivity only allowing connectivity to services it needs to talk to in order to get GPOs, auto-enrollment, patches, etc.  Inside the auth profile for your default rule do not assign your vlan. Rely on switchport config to assign vlan. Also, add a reauthentication timer 30-60 minutes so that once your new hosts that auth via mab get GPOs, a cert, etc. they are forced to reauth using dot1x.  Without a script there will be some manual intervention within AD to ensure the comp object gets moved to the right sec group. 

 

Hope this general idea better assists you!

View solution in original post

28 Replies 28

Chris Illsley
Level 3
Level 3

You could authenticate by machine, the machine would be authenticated client would still need a valid AD account to log in.

Thanks

Chris

hey, how can device authenticate with AD since the port is CLOSED and client is not authenticated yet.

the device cannot talk to AD before they get authenticated.

Hi,

You've joined the PC to AD?  So you get the machine to authenticate, that way the port will be authenticated.

Thanks

Chris

It is a new PC havent joined yet.

Sent from Cisco Technical Support iPhone App

If you're building PCs that aren't yet joined you will either need a port that isn't dot1x authenticated or a fall back guest area that has limited connectivity so you can complete the build process.

Thanks

Chris

hey, it is very dangerous idea that AD putting in Guest area.

Also, I'm asking for a solution for that.

Please check the guide for Managing External Identity Sources, May help you something:

http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_man_id_stores.pdf

jan.nielsen
Level 7
Level 7

Are you using PXE to put an image onto the machine ? If not, then who is doing the installation and how, and where are they when they install it (on-site/it department) ?

I have a few customers where we use their PXE environment to trigger a script that puts the mac address of the new pc in a specifc ad group, so it can get access while it's being provisioned, by using MAB authentication. When the PC is completely installed, the GPO's will configure the dot1x settings and enroll certs for machine auth/user authentication on the network.

Muhammad Munir
Level 5
Level 5

Hi

Ensure that the RADIUS probe is enabled in Cisco ISE.

Ensure that network access devices support an IOS sensor for collecting DHCP, CDP, and LLDP

   information.

Ensure that network access devices run the following CDP and LLDP commands to capture CDP

and LLDP information from endpoints:

cdp enable

lldp run

Ensure that session accounting is enabled separately, by using the standard AAA and RADIUS

commands.

For example, use the following commands:

aaa new-model

aaa accounting dot1x default start-stop group radius

radius-server host auth-port acct-port key

radius-server vsa send accounting

Oliver Laue
Level 4
Level 4

Hi,

It depends on your setup. If you don't assign dynamic vlans to users or machines a preauth acl should do it.
While the client is not authenticated he is allowed to communicate with defined systems like an AD Server but all other communications are blocked.

Sent from Cisco Technical Support iPhone App

so it only can be done by using low-impact mode....right ?

As I wrote before. It depends on your setup.
What kind of authentication are you using? What kind of radius/Tacacs did you use or maybe an ISE?

With an ISE it could be possible to assign the machine an profile if its not authenticated which allows this specific not joined systems to communicate with the required servers. After the machine reboots it should be profiled correctly as an domain member.

With a Microsoft NPS/NAP you could normally do the same but there are a couple of problems with this kind of setup.

Sent from Cisco Technical Support iPad App

hey, we cannot use profile.

first of all, you have to log in to windows PC on GINA, after that, you can get authenticated as not joined or joind to AD

before you log in on GINA, you can't do anything, that is the problem. when you log in on GINA, If you cannot communicate to AD, you cannot log in.

so specifically my problem is comming from here :

1. I have to log in to new PC with AD join

2. BUT the network is not authenticated when I log in on GINA

3. SO PC can't get GPO from AD controller.

any idea ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: