09-06-2017 03:10 PM - edited 02-21-2020 10:33 AM
Hello everyone,
After testing Wired 802.1X with Machine and User Authentication using EAP-TLS the customer is not satisfied with the results again. Even though it was explained before that certificates must be deployed prior to the implementation of Dot1X, the customer has just reported that random corporate users must be able to authenticate themselves even if their certificates are not installed in the machine.
I suggested that switch port can be set in monitoring mode (authentication open) or MAC address can be added temporarily so the new users can download their certificate, but the customer wants this process to be automatic.
Is it possible to download the user certificate before authentication happens? According to all documentation I’ve read it’s not possible. Certificates must be installed before the implementation of 802.1X. I would greatly appreciate any help on this matter.
Thanks
09-06-2017 06:22 PM
09-06-2017 08:55 PM
@Francesco Molino wrote:
Hi
Yes certificates can be triggered automatically.
You can use GPO to push it while giving a small session timeout when a laptop connects to the network.
Thanks for your answer Francesco. Can you please explain how can I achieve this while 802.1X is deployed in closed mode?
According to Cisco Documentation, user authentication always happens before any GPO:
Source: https://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/IBD/1XbaseCG.pdf
@Francesco Molino wrote:
You can also use the byod process to force a url redirect and do the enrollment.
If the customer doesn't want any interaction with the user then you don't have any choices to force only computer authentication, push a gpo to force users getting their certificates and connect them back. In the meanwhile to know who has already the certificate or not, you can use an AD group but for sure there will be done manual work.
Thanks
PS: Please don't forget to rate and select as validated answer if this answered your question
That's exactly the scenario: The customer doesn't want any interaction with the user. He wants any random corporate user to login in any corporate machine and that user login transparently as nothing happens, like it was before 802.1x.
By the way, we used anyconnect before, wired 802.1X with EAP-chaining was implemented, but the customer didn’t want the users to interact with Anyconnect every time they connect to the open wireless network. Therefore, we implemented Anyconnect Start Before Logon, so users were able to connect to the open wireless network using the Windows network icon from the taskbar. However, it generated a very long delay on Windows start, even more than a minute, and this was the main reason for the change to Windows native supplicant.
Even though he want machine and user authentication via certificate because it is considered the strongest authentication method, I can only think of 2 solutions with the current requirements:
- Only Machine Authentication with EAP-TLS, as you mentioned. By the way, the customer also required that user never has to restart or logoff to authenticate the machine, so we set MAR aging time to 6 months.
- Implement EAP-PEAP for machine and user authentication (considering Windows native supplicant can only use a single method for both authentication, it doesn't have profiles as NAM)
Thanks
09-07-2017 05:03 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: