Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2342
Views
5
Helpful
3
Replies

802.1x and Port Security

Go to solution
MrBeginner
Spotlight
Spotlight

‎09-19-2019 02:52 AM

Hi all,

I would like to ask about 802.1x.It is very simple question for you but i can't understand easily.

i would like to deploy 802.1x wired authentication.

  1.  i am applied static vlan and ACL rule is already applied on the switches.Can i deploy 802.1x configuration on existing production switches for authentication only to pass traffic ? Do not use for dACL function,DHCP functions and dynamic VLAN assign .is it ok ? i want to use static ACl and VLAN.
  2. i want to join My workgroup PCs (no domain joined) to my network and want to use 802.1x wired authentication with certificate.i don't want to type username and password.Any computer which is installed our certificate can connect to my network.Can it be or not ?

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-19-2019 03:03 AM

Hi,
1. Yes you can still authenticate the users/computers.

2. Yes you can, but how are you going to get the certificates on those devices? It's not so easy on a non-domain joined computer. If you are using ISE you could use the certificate enrollment portal to acquire a certificate, however this cannot be automated/transparent to the user. If the computer was domain joined, the GPO could automate the provisioning of certificates and renewals, without interaction from the user. Another option could be to use MAB for those devices, find out their MAC addresses and permit only those devices. This is less secure than dot1x however, but possibly easier for you to manage.

HTH

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎09-20-2019 12:45 AM

Ok. Yes, you can manually create a CSR on the non-domain joined computer, get it signed and import the signed certificate on the computer.

HTH

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎09-19-2019 03:03 AM

Hi,
1. Yes you can still authenticate the users/computers.

2. Yes you can, but how are you going to get the certificates on those devices? It's not so easy on a non-domain joined computer. If you are using ISE you could use the certificate enrollment portal to acquire a certificate, however this cannot be automated/transparent to the user. If the computer was domain joined, the GPO could automate the provisioning of certificates and renewals, without interaction from the user. Another option could be to use MAB for those devices, find out their MAC addresses and permit only those devices. This is less secure than dot1x however, but possibly easier for you to manage.

HTH

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎09-19-2019 06:30 PM - edited ‎09-19-2019 06:31 PM

Hi ,

thank for explain.

i consider manually create cert request file for all clients and manually install and renews .is it possible ? I already tested on Domain Joined PC scenario .I want to know work group PC can handle with 802.1x by using certificate or not ?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎09-20-2019 12:45 AM

Ok. Yes, you can manually create a CSR on the non-domain joined computer, get it signed and import the signed certificate on the computer.

HTH
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents