Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3520
Views
10
Helpful
8
Replies

802.1x for user authentication setup questions

ebell
Level 1
Level 1

‎07-14-2011 10:04 AM - edited ‎03-10-2019 06:13 PM

Hi,

I am fairly new to the 802.1x realm, I have read several documents on how the setup is accomplished and I was hoping someone could validate the setup I have in mind to make sure I am on the right page.  Any comments or assistance would be greatly appreciated, I do not have the infrastructure to test everything before hand.

I have a remote site with a switch and router.  I want to authenticate users using their AD credentials. At the datacenter I will have ACS 5.2, a Windows 2008 enterprise server for AD service and CS service. I do not have the option to install an additional client on the PC like anyconnect, I need to use Windows OS supplicant without installing physcial certificates on the machine.

- Within the CS service I will generate a certificate that will be imported by ACS.

- I will activate ACS to integrate with AD

- I do not want to insall certificates on the client machines so I will use PEAP w/ MSCHAPv2

- The authenticating clients will be XP w/ SP3, I am hoping that a group policy can be created to enabed the wired service to start automatically and I will also need to add my CS/CA server as a trusted authority unless I purhcase a verisign certificate to be used. Correct? or will this need to be done when the desktop image is installed on the pc?

Additional Questions:

- With the setup I described above using MSCHAPv2 when the user boots the computer in the morning, hits ctrl+alt+delete and provides their AD credentials will this act as a single sign on? first authenticating them through 802.1x so the port is authorized and then authenticating them to the AD server? or will there be some type of pop up window that will appear before the ctrl+alt+delete window? making the user provide credentials twice (annoying)

- Once the user is autheticated can I push an ACL down to the switch to enforce a set policy? or does this happen on the router?

- Most of the documents I have read are related to L2 802.1x is there a  L3 option that includes the router that I should be looking at to  provide more features?

- can anyone speak to their experience with the Windows OS supplicants? is the functionality flaky/clunky or if the backend is setup properly it works seamlessly?

Sorry for the long winded post but I am kind of shooting in the dark without having the equipment to test with. Any help is appreciated!

Thanks

Labels:
0 Helpful
8 Replies 8

Tarik Admani
VIP Alumni
VIP Alumni

‎07-14-2011 11:42 PM

Hi,

You are on track with you understanding, the windows supplicant when configured to use PEAP MSCHAP V2 will have a setting to automatically use the windows logon credentials so you are safe with that realm. You can use a downloadable acl which can be used to enforce traffic policies for your clients. Also the last question that you had was regarding not having to download certificates, you will have to push the root certificate to all your clients so once you configure the ceritificate used for PEAP authentication you dont have to worry about the user having to see the untrusted certificate warning when connecting the first time.

Thanks,

Tarik

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee

‎07-15-2011 12:21 AM

Q:

- The authenticating clients will be XP w/ SP3, I am hoping that a group  policy can be created to enabed the wired service to start  automatically and I will also need to add my CS/CA server as a trusted  authority unless I purhcase a verisign certificate to be used. Correct?  or will this need to be done when the desktop image is installed on the  pc?

A: Yes Normally group policies can configure the network interface on the laptops and push the certificate of the CA too

Q:

- With the setup I described above using MSCHAPv2 when the user boots  the computer in the morning, hits ctrl+alt+delete and provides their AD  credentials will this act as a single sign on? first authenticating them  through 802.1x so the port is authorized and then authenticating them  to the AD server? or will there be some type of pop up window that will  appear before the ctrl+alt+delete window? making the user provide  credentials twice (annoying)

A:  If you select "Use windows credentials" it won't prompt you for credentials. so All automatic.

However note that it will only login AFTER you entered the credentials on the logon page. So you won't have network connectivity for the initial logon, so no login scripts this way.

Q:

- Once the user is autheticated can I push an ACL down to the switch to enforce a set policy? or does this happen on the router?

A: Yes. ACS can send back an ACL or an ACL name to the switch where the client is connecting from. It has to be the device on which the dot1x is happening.

Q- Most of the documents I have read are related to L2 802.1x is there a   L3 option that includes the router that I should be looking at to   provide more features?

A: Dot1x is layer 2 and happens on the device on which you directly connect. What kind of features are you looking at with regards to the layer 3 or router exactly ?

Q:

- can anyone speak to their experience with the Windows OS supplicants?  is the functionality flaky/clunky or if the backend is setup properly it  works seamlessly?

A: It does its basic job.

Drawbacks are : no network pre-logon before windows login. No timer configuration, only PEAP available....

but if it works for you, then fine with that :-)

ebell
Level 1
Level 1
In response to Nicolas Darchis

‎07-15-2011 11:59 AM 

Thanks too you both for the responses.

I have a few followup questions which I have added inline.

Q:

- With the setup I described above using MSCHAPv2 when the  user boots  the computer in the morning, hits ctrl+alt+delete and  provides their AD  credentials will this act as a single sign on? first  authenticating them  through 802.1x so the port is authorized and then  authenticating them  to the AD server? or will there be some type of pop  up window that will  appear before the ctrl+alt+delete window? making  the user provide  credentials twice (annoying)

A:  If you select "Use windows credentials" it won't prompt you for credentials. so All automatic.

However  note that it will only login AFTER you entered the credentials on the  logon page. So you won't have network connectivity for the initial  logon, so no login scripts this way.

--

With your comments I am rethinking my approach, I am considering that if the company security policy will allow it I will do machine authentication only instead of user auth.   Obviously this is not as secure since a rogue user could change the local admin password and have access to the network.  But interms of simplicity and ease of use machine authentication provides a transparent authentication mechanism that should suffice.  I would just have to sell the solution to security. 

There a few things I need to understand before persuing this.

- will the machine be 802.1x authenticated and on the network before the  ctrl+alt+delete? so when user logs in the machine has passed 802.1x  already and has received ip from dhcp? this is my hope.

- is peap/mschap still the supported protocol so no physical cert is required per machine? no EAP-TLS

- is the machine profile on the AD server used for 802.1x verification/authentication? meaning ACS will pass off to AD to verify the machine is part of the domain? or do you have to create machine profiles in ACS?

- I have read a few articles out there about issues with machine auth with clients using XP, perhaps this was related to previous serivce packs before SP3? there was mention of registery changes required etc.

- is there a different supplicant offered by cisco that is more robust that would provide more stability or is the cisco supplicant cost money per user license or other etc.

Again your feedback is invaluable as I do not have the physical equipment to test with.  Unfortunatly I have to propose a solution before actually testing something which I am not particularly fond of.

Regards,

Eric

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to ebell

‎07-17-2011 05:52 AM

- will the machine be 802.1x authenticated and on the network before  the  ctrl+alt+delete? so when user logs in the machine has passed  802.1x  already and has received ip from dhcp? this is my hope.

Yes, machine authentication happens as soon as PC has booted.

- is peap/mschap still the supported protocol so no physical cert is required per machine? no EAP-TLS

you can do machine auth with any protocol. Peap is a good option.

-  is the machine profile on the AD server used for 802.1x  verification/authentication? meaning ACS will pass off to AD to verify  the machine is part of the domain? or do you have to create machine  profiles in ACS?

yes it's best to use ACS with AD so that it uses the machine profile on AD and machine account password change happens automatically every x days.

- I have read a few articles out there about  issues with machine auth with clients using XP, perhaps this was related  to previous serivce packs before SP3? there was mention of registery  changes required etc.

Indeed.

- is there a different supplicant offered by  cisco that is more robust that would provide more stability or is the  cisco supplicant cost money per user license or other etc.

AnyConnect, but I guess they don't give it out for free indeed :-)

ebell
Level 1
Level 1
In response to Nicolas Darchis

‎07-17-2011 09:19 AM

Just to clarify...

-  is the machine profile on the AD server used for 802.1x  verification/authentication? meaning ACS will pass off to AD to verify  the machine is part of the domain? or do you have to create machine  profiles in ACS?
yes it's best to use ACS with AD so that it uses the machine profile on AD and machine account password change happens automatically every x days.

When you say "machine account password change happens automatically every x days" are you indicating that users will be prompted for a password during boot to complete the machine authentication? if so is the password maintained in AD or ACS? please clarify. I was hoping this authentication would be completely transparent to the end user..

- I have read a few articles out there about  issues with machine auth with clients using XP, perhaps this was related  to previous serivce packs before SP3? there was mention of registery  changes required etc.
Indeed.

There seems to many forum articles out there regarding this subject, often they are confusing.  Do you have a url you could share that will give me direct answers to what needs to be configured on the clients registry? In addition if you have any other url's that you used or think would help me setup this solution please share thme with me if possible.

Thanks for all your help

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to ebell

‎07-17-2011 11:07 PM

You got me wrong.

By default, AD rotates the machine account passwords.

But that doesn't mean that you need to type a password (otherwise it wouldn't be a machine auth). When the PC is first joined to the domain (wired) it gets its password from AD. Valid for the next 30 days.

At the end of the period, AD send automatically the new password to the machine, so it's still 100% transparent.

The only issue that you might notice is if you take a laptop away for 2 months, it will not be able to connect back on a dot1x port because it didn't get the new passwords. Sso you will need to put that laptop on an unprotected port so that it can get the new passwords when joined to the domain.

For the last part, my indeed meant that with xp sp3 you should be good to go.

The registry keys are mainly to say "I want only machine auth" or "only user auth".

The checkbox on the windows config is "use computer information when available", so it does both machine and user auth if it can.

0 Helpful

ebell
Level 1
Level 1
In response to Nicolas Darchis

‎07-21-2011 02:20 PM

Nicolas, thanks for your clarification.

Had one more quick one if your willing...

I was thinking of doing  MAB for the phone and printers onsite.

I will have ports that have viop phones, users will connected to the secondary port on the phone.  will this require me to set this port as a multi-host? as I understand it if I setup the port for multihost anyone connecting to the phone second port will have access without authenticating using machine credentials.  Is there another approach that I should consider for this? I would like to have the phone auth using MAB or other, and the user connected to the phone do the normal machine authentication.  Also I would perfer to have the phone and data networks seperated on different vlans if possible.

Much appreciated!

Eric

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to ebell

‎07-22-2011 02:34 AM

Multi-domain is what you are looking for.

It authenticates only a phone in the voice vlan and only one pc in the data vlan.

MAB is usually done for the phone. You can send the traffic)class=voice attribute after mab to make sure it's assigned the voice vlan. Some phones can also indicate that they are a phone thanks to CDP

0 Helpful
Customers Also Viewed These Support Documents