Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5427
Views
0
Helpful
3
Replies

Is it possible to automatically disable 802.1x in a wired network adapter?

Go to solution
Andy Ruiz Inami
Level 1
Level 1

‎08-10-2017 09:39 AM - edited ‎03-11-2019 12:55 AM

Hello everyone,

 

I'm facing this issue with one client: I have implemented Wired 802.1x with EAP-TLS, Guest access for guests with sponsor, and profiling.

 

First, the client didn't accept the use of anyconnect for 802.1x because of the delay it carries while starting Windows, so we moved to the native supplicant of Windows. He has accepted the fact that eap-chaining is not possible with native supplicants, but now he is telling me that is not acceptable that users (i.e. managers) bring their laptops to their homes and manually disable 802.1x in their ethernet cards, that there must be a way for the wired ethernet adapter to detect that it's on a different network and disable 802.1x. 

 

Of course, he didn't use all the technical babble I used on the previous paragraph, he just said "managers should bring their laptops to their homes and continue working without doing nothing at all, they won't disable 802.1x in their ethernet cards manually, that's unacceptable!"

 

I don't know if it's possible in a Windows machine, and I don't know if it's possible with anyconnect either, without any interaction from the user.

 

I would greatly appreciate any help on this

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andy Ruiz Inami
Level 1
Level 1
In response to Rob Ingram

‎08-10-2017 11:16 AM

Thanks for the answer. I don't remenber what is the default configuration for 802.1x in Windows Wired Ethernet Card when you enable 802.1x service, but I found the solution: I have to enable the following: "fallback to unauthorized network access"

This option was disabled, it solved the issue. 

https://faq.icto.umac.mo/wp-content/uploads/2015/08/Wired-network-on-Windows-10_e9.jpg

The option is self-explanatory in english but since the OS is in spanish the option is not so clear:

"Retroceso de acceso de red no autorizado"

It should say "Acceso de red no autorizado como ultimo recurso"

Well, I'll let this here so it might help others.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Andy Ruiz Inami
Level 1
Level 1

‎08-10-2017 10:38 AM

I've already found the answer for anyconnect on Cisco documentation:

"You can configure a single authenticating wired connection to work with both open and authenticating networks by carefully setting the startPeriod and maxStart such that the total time spent trying to initiate authentication is less than the network connection timer (startPeriod x maxStart < Network Connection Timer). Note: In this scenario, you should increase the network connection timer by (startPeriod x maxStart) seconds to give the client enough time to acquire a DHCP address and finish the network connection. Conversely, administrators who want to allow data traffic if and only after authentication succeeds should make sure that the startPeriod and maxStart is such that the total time spent trying to initiate authentication is greater than the network connection timer (start Period x maxStart > Network Connection Timer)."

Unfortunately, the customer doesn't want anyconnect. Is it possible to achieve a similar behavior with the native supplicant of Windows?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎08-10-2017 10:40 AM

Hi Andy,

If a laptop connects to a network that doesn't use 802.1x it should still work ok when using the native supplicant. You shouldn't need to disable 802.1x.

Even with AnyConnect you can define multiple networks, the first can require 802.1x if that fails it could, if configured attempt to connect to an open network. You can use the profile editor to define the networks, the order etc.

0 Helpful

Go to solution
Andy Ruiz Inami
Level 1
Level 1
In response to Rob Ingram

‎08-10-2017 11:16 AM

Thanks for the answer. I don't remenber what is the default configuration for 802.1x in Windows Wired Ethernet Card when you enable 802.1x service, but I found the solution: I have to enable the following: "fallback to unauthorized network access"

This option was disabled, it solved the issue. 

https://faq.icto.umac.mo/wp-content/uploads/2015/08/Wired-network-on-Windows-10_e9.jpg

The option is self-explanatory in english but since the OS is in spanish the option is not so clear:

"Retroceso de acceso de red no autorizado"

It should say "Acceso de red no autorizado como ultimo recurso"

Well, I'll let this here so it might help others.

0 Helpful
li.common.scroll-to.top