03-09-2009 04:44 AM - last edited on 03-25-2019 05:25 PM by ciscomoderator
I'm looking for a solution for starting with 802.1X for wired and wireless network in a live environment. During the migration I have to turn on port based authentication. But at that moment, the machine must have a valid user / computer certificate. Else there will be no connection to the network. Do I have to deal with the fact that all computers do have the certificates before turning on port based authentication ? Is there another method ?
Regards
Remco
03-09-2009 04:58 AM
03-09-2009 05:09 AM
Yes you are right. But I want to use EAP-TLS with user and computer certificates...
03-09-2009 06:51 AM
Then you need client certificates. Would not recommend recommend self-signed certs.
03-09-2009 07:17 AM
I know I need client certificates. But all the certificates need to be installed before 802.1X can be implemented on the switch. If there is no certificate, the client cannot get access to the network and autoenrollement of certificates will not work..
03-09-2009 12:20 PM
In that case I suggest you to use Microsoft CA Server,Let the user download the user certificate during the process of 802.1x authentication.
Assuming EAPoL will help retrieving user or computer certificate from CA server during the authentication process.
HTH
Ahmed
03-10-2009 01:50 AM
During 802.1x authentication there is no connection to the rest of the network so certificates cannot be obtained..
03-10-2009 05:02 AM
If you run machine-auth, this enabled the network connection. If you then run user-auth, you can automatically download a cert for the user .. since the network access has been obtained from machine-credentials. So in other words, as long as you at least have a cert on the box for the machine, the user doesn't necessarilly need a cert pre-loaded and auto-enrollment of certs can still work.
HTH,
03-10-2009 05:26 AM
At first you use machine authentication with computer certificate. This cert can be obtained after a initial reboot. Ok, then there is a network connection based on computer authentication. At that moment, user logs in. At that moment there will be a re-authentication with user certificate (that is not available on the pc). I think this is going wrong..
03-10-2009 05:37 AM
That's all correct. ;-). Essentially what happens it the following:
1) network access granted via machine-auth.
2) EAPOL-Start from PC to switch.
3) EAPOL-Identity-Request from switch to PC.
At this point, the PC sits there since it has no cert to offer. But remember, network access has been granted from step1 above, and the network connection is still open until at least this "new" authentication attempt fails or times out. So you've got until at least it times out to allow auto-enrollment of a cert to work.
Would hope this is a corner case anyway, and that most of your users already have certs, but it's an option for you maybe ...
HTH,
03-10-2009 04:53 PM
Hello guys,
I apologize for jumping in but I did not want to start a separate thread as this is also a question about 802.1x and EAP on a wired LAN.
My issue is slightly different.....
I already use PEAP for my Wireless LAN and want it to my wired users. The basic idea is this:
1. Upon successful authentication, domain users and computers get access to the network.
2. Guest users (i.e. anyone not part of the domain or with a supplicant that fails authentication) get restricted access.
3. Non-802.1x devices (printers, video conferencing units etc.) will use MAC authentication to access the network.
Here's my dilemma. The building is relatively large so there is one VLAN per floor for each of the groups mentioned above. I need to find a way to get the VLANs assigned on a per floor basis.
Since this is a relatively large deployment, I will like to use AD as the user database. That's what I currently do for wireless. My thinking is that I could probably group the RADIUS clients (switches) per floor and configure the attributes to assign the VLANs based on group.
Is this possible? How can this be done using Cisco ACS? If possible, I prefer not to use dedicated user groups
03-13-2009 12:47 AM
You have to do this with AD User Groups. You can connect those AD groups to ACS groups. You can configure attributes to those ACS groups to do dynamic VLAN assignment based on user id.
03-13-2009 04:44 AM
That is my exact problem. I can not pin the VLAN to the User ID since there is no way to predetermine how many users belong to a group. There are over 5000 users in AD. The VLANs have always been assigned based on location (not department or OU) and they would like to keep it that way.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide