Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
772
Views
0
Helpful
4
Replies

What is user experience Before and After configure switch 802.1X authentication?

Go to solution
getaway51
Level 2
Level 2

‎04-29-2019 01:06 AM

How to enable dump terminals with ISE, comparison with and without 802.1x

Hi all,

I am trying to understand how switch 802.1X activation and impact on existing devices such as windows login to domain, door access, IP camera,etc.

1) First of all, all dump terminals connecting to switch(w/o 802.1x) is working fine now. Can I see those devices in ISE? Where?

2)After perform switch 802.1X activation, do I need to do any config change in ISE for these dump terminals?

3)Currently all windows workstation login to domain successfully. After perform switch 802.1X activation, is there any change in the way user logon to windows domain? 

4)After perform switch 802.1X activation,is there any change of config tht i need to do for all 802.1x and non-802.1x devices?

5)If certain devices not in ISE but works fine before switch 802.1X activation and doesnt work after 802.1X activation, where can I find those devices and is there any config change tht I need to do?

 

Many thanks for all info.I am trying to understand the process and user experience before and after 802.1X

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to getaway51

‎04-29-2019 01:05 PM

Without 802.1X: the user plugs into the switchport and gets instant access.

With 802.1X: the user's supplicant is challenged for authentication and assuming they pass authentication, they are allowed access.

 

The exact behavior depends on many things on the endpoint which ISE does not control:

  •  is the user's supplicant enabled (Windows wired supplicant is disabled by default)
  •  which trusted certificates are in the Trusted CA store
  •  is the supplicant configured to accept untrusted certs?
  •  which protocols are enabled/supported by the supplicant?
  • is credential caching enabled?
  • is the user already logged into the computer or waiting to login
  • how is the switchport configured:
    • Closed Mode
    • Open Mode
    • Low-Impact with ACL

So, It Depends. Please be extremely specific about the details of your scenario.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎04-29-2019 04:56 AM

Please see our ISE secure Wired Access Deployment guide to get an understanding of the different authentication types provided and their behavior in a wired environment.

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

 

 

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to ldanny

‎04-29-2019 06:12 AM

I have read lots of 802.1X docs. but i still cant find any tht explains user experiences Before and After configure switch 802.1X authentication. 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to getaway51

‎04-29-2019 01:05 PM

Without 802.1X: the user plugs into the switchport and gets instant access.

With 802.1X: the user's supplicant is challenged for authentication and assuming they pass authentication, they are allowed access.

 

The exact behavior depends on many things on the endpoint which ISE does not control:

  •  is the user's supplicant enabled (Windows wired supplicant is disabled by default)
  •  which trusted certificates are in the Trusted CA store
  •  is the supplicant configured to accept untrusted certs?
  •  which protocols are enabled/supported by the supplicant?
  • is credential caching enabled?
  • is the user already logged into the computer or waiting to login
  • how is the switchport configured:
    • Closed Mode
    • Open Mode
    • Low-Impact with ACL

So, It Depends. Please be extremely specific about the details of your scenario.

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to thomas

‎04-30-2019 04:56 AM

Without 802.1X: the user plugs into the switchport and gets instant access. 

With 802.1X: the user's supplicant is challenged for authentication and assuming they pass authentication, they are allowed access. 

Currently all Windows PC Users login to domain using username & password. Is there any difference in the way user login to domain after switch activating 802.1X config? Can I say tht the above challenged authentication with switch 802.1X is provided when they login to their company domains?

Servers using CA certs. Other devices like cctv, printers using MAC address bypass i think.

Is there any difference for these devices after switch activating 802.1X config? 

 

The exact behavior depends on many things on the endpoint which ISE does not control:

  •  is the user's supplicant enabled (Windows wired supplicant is disabled by default) YES, currently all Windows hv enable 802.1X. 
  •  which trusted certificates are in the Trusted CA store. Where can I check? May I knw what is the purpose? Currently all servers running fine using CA certs with ISE i think. 
  •  is the supplicant configured to accept untrusted certs? I believe no. Wht is the objective of this function?
  •  which protocols are enabled/supported by the supplicant? username & password, MAC bypass, certs
  • is credential caching enabled?Where can I check?
  • is the user already logged into the computer or waiting to login. Users will login to domain everytime it reboots
  • how is the switchport configured: Where can I check?
    • Closed Mode
    • Open Mode
    • Low-Impact with ACL

So, It Depends. Please be extremely specific about the details of your scenario.

0 Helpful
Customers Also Viewed These Support Documents