Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3001
Views
1
Helpful
3
Replies

Windows GPO - 802.1x Wired Settings Explanation In Detail

ryanbess
Level 1
Level 1

‎08-15-2024 03:32 PM

We are about to start rolling out and onboarding Windows endpoints into ISE for Wired 802.1x.  Everything seems to be working in the lab and in test production workstations however I still have questions about what many of the GPO settings actually do and what the use case is for enabling them.  I've done my fair share of googling and yet to find the data I'm looking for.  Hopefully someone with more experience can shed some light.  All of our workstations are domain joined and for better or worse we will be using PEAP.  I know not ideal but there's reasons behind it.

Here's a few examples at the moment.  I'm unsure what they really do and what the use case for them is. 

1. General Tab: "Don't allow shared user credentials for network authentication".  What is this preventing a user from doing?

2. Security Tab:  "Max Auth Failures".  It's defaulted to 1, what does this setting do and why would you increase the value?

3. Security Tab:  Cache user information for subsequent connections to this network (why is this option when in the Security Tab > properties of PEAP > Configure button there's the option of "Automatically use my Windows logon name and password (and domain if any) is there.  Does the "Cache user information...." really do nothing in a domain environment?

4.  Advanced Security Settings > IEEE 802.1x:  Why give all these options...what's the use case?

5. Advanced Security Settings > Single sign on:  Again does this do anything if you have "Automatically use my Windows logon name and password" Enabled.  What's the advantage of setting this

 

Thanks everyone for your help.

 

 

 

Labels:
0 Helpful
3 Replies 3

Torbjørn
VIP
VIP

‎08-15-2024 11:10 PM

This page is quite useful when configuring this: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831813(v=ws.11) 

1. General Tab: "Don't allow shared user credentials for network authentication".  What is this preventing a user from doing?

"Specifies that users with computers running Windows 7 are not allowed to store their user credentials (such as user name and password), which the computer can then use to log on to the network (even though the user is not actively logged on to the computer)."

2. Security Tab:  "Max Auth Failures".  It's defaulted to 1, what does this setting do and why would you increase the value?

Specifies the maximum number of failed authentication attempts that can occur with a specific set of credentials before notification is displayed to indicate that authentication has failed.

3. Security Tab:  Cache user information for subsequent connections to this network (why is this option when in the Security Tab > properties of PEAP > Configure button there's the option of "Automatically use my Windows logon name and password (and domain if any) is there.  Does the "Cache user information...." really do nothing in a domain environment?

This is only really relevant if the domain machine is to connect to a network where the current logon credentials is not to be used for 802.1X - which might or might not be relevant in your environment. 

4.  Advanced Security Settings > IEEE 802.1x:  Why give all these options...what's the use case?

They are all likely a result of someone, somewhere at some point needing each option for some reason. Unless you have a specific reason to change them it's probably best to leave them to defaults.

5. Advanced Security Settings > Single sign on:  Again does this do anything if you have "Automatically use my Windows logon name and password" Enabled.  What's the advantage of setting this

This used to be called "Pre-Logon Access Provider", which is a more fitting name IMO. This allows the user to authenticate to the network before(or after) windows login.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

ryanbess
Level 1
Level 1
In response to Torbjørn

‎08-18-2024 05:50 AM

Thank you for your feedback.  For number 1, pretty sure it's windows 7 and newer OS's.  Number 5, how can a user authenticate to the network when number 1 is enabled.  

0 Helpful

Torbjørn
VIP
VIP
In response to ryanbess

‎08-19-2024 12:54 AM

1. Dictates whether the computer is allowed to _store_ the credentials for future network authentication. Disabling this will require you to authenticate to the network for each time you reconnect to the network.

5. Dictates whether you should be allowed to authenticate to the network before(or immediately after) login. This doesn't rely on storing the credentials. The most common reason to do this is if you need to authenticate to the network(802.1X) with a user-account for your computers to be able to reach a DC for windows authentication.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful
Customers Also Viewed These Support Documents