Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
2
Replies

Wired 802.1x should computer authentication be allowed?

Go to solution
muhammadtalha
Level 1
Level 1

‎01-21-2024 02:25 AM

Hello All, 

I have implemented 802.1x wired in my network (EAP-PEAP) and the AD is integrated with the ISE server to allow authenticated domain users to access the network. The users are able to authenticate successfully with their domain username and password and I can see the logs in the ISE server which are hitting the policy successfully. When the user logs out and do not shut down the PC, The PC is communicating with the Domain controller for updates etc and I can see the logs on the switch DOT1x auth fail. In ISE logs I can see that the request for authencation is coming from the PC with no username and only PC name xyz.domain. Since, there is no policy for domain computers, the switch keep getting Auth Fail logs. When I add the domain computers in the policy, the PC successfully gets authenticated when no one is logged in.

is this a safe practice for the domain computers to have network access when no one is logged in? If not then what is the solution? because failed authentication generates a lot of logs and the PC will keep trying to authenticate when no one is logged in.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-21-2024 02:36 AM

@muhammadtalha Yes, I've never had a customer that has not authenticated the domain joined computers. This allows the computer Group Policies to be processed on startup, windows updates to be downloaded and remote management of the devices when no user is logged in.

If you wish to restrict this access, then deploy a DACL to computers once authorised by ISE that restricts access to only the Domain Controllers, DNS, Update servers etc. Amend your ISE authorisation rules accordingly to authenticate the computers and deploy the DACL.

If you do not wish to authenticate the computers you need reconfigure the supplicant on the computers to perform "User authentication" rather than "User or Computer authentication".

072519_1338_configuring2.png

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎01-21-2024 02:36 AM

@muhammadtalha Yes, I've never had a customer that has not authenticated the domain joined computers. This allows the computer Group Policies to be processed on startup, windows updates to be downloaded and remote management of the devices when no user is logged in.

If you wish to restrict this access, then deploy a DACL to computers once authorised by ISE that restricts access to only the Domain Controllers, DNS, Update servers etc. Amend your ISE authorisation rules accordingly to authenticate the computers and deploy the DACL.

If you do not wish to authenticate the computers you need reconfigure the supplicant on the computers to perform "User authentication" rather than "User or Computer authentication".

072519_1338_configuring2.png

0 Helpful

Go to solution
muhammadtalha
Level 1
Level 1
In response to Rob Ingram

‎01-21-2024 02:37 AM

Thanks, I got exactly what I was looking for!!

0 Helpful
Customers Also Viewed These Support Documents