Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
869
Views
0
Helpful
6
Replies

802.1x port based authentication

tedauction
Level 1
Level 1

‎03-11-2017 03:04 PM - edited ‎03-08-2019 09:42 AM

Hello, regarding 802.1x switchport based authentication using client GPO generated certificates.

When this is implemented, do most companies use:

- a 'computer' certificate for authentication.

- both the above computer certificate and also a 'user' certificate ?

Thanks kindly.

Labels:
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎03-11-2017 03:21 PM

I can't comment on "most companies", but when I have done it I use both - because it makes for the most reliable simple setup.

0 Helpful

tedauction
Level 1
Level 1
In response to Philip D'Ath

‎03-12-2017 12:15 PM

Hello Philip, thanks for that.

How does using both a client and computer certificate make it more reliable ?

How does the client certificate work when you have multiple users on that machine ?

Thanks kindly for any information.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to tedauction

‎03-12-2017 01:31 PM

Because (by default) Windows uses a machine certificate before the user logs in to apply group policies and perform user authentication.

After that it re-authenticates with 802.1x using the user details.

To change the behaviour you need to change a lot group policy settings.

0 Helpful

tedauction
Level 1
Level 1
In response to Philip D'Ath

‎03-12-2017 02:39 PM

Hello Phillip, currently we do not use any client side certificates.

It is only now that I am implementing port based 802.1x that we will be using certificate authentication.

This is just an upgrade from our previous switchport port-security method which just tested for MAC address matching the sticky entry.

Therefore, with my new 802.1x port based authentication would it be fine just to use 'computer' certificates rather than 'computer' and 'client' certificates ?

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to tedauction

‎03-12-2017 03:40 PM

Are you mostly using Windows machines?  If so, I would use much simpler PEAP authentication.  You can then authenticate computers and users based on their logged on credentials.  Much easier.

You can use just computer certificates.  Like I said (for the reasons already given), it usually makes it more difficult than using both computer and user certificates.

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎03-12-2017 04:32 AM 

Hello, regarding 802.1x switchport based authentication using client GPO generated certificates.
When this is implemented, do most companies use:
- a 'computer' certificate for authentication.
- both the above computer certificate and also a 'user' certificate ?
Thanks kindly.

Hi,

Even when we did the implementation , we added both the configuration and certificates at server and client to get proper authentication and reliable communication for handshake.

-GI

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card