Network Management

I am using 802.1x authentication with roles derived from a radius server.I have 3x roles:

logon_role

user_role

quarantine_role

User and quarantine are user based roles and depending on health check and group access etc are approved access on the network or denied and fall into the quarantine network.

The login role is for the machine when authenticated it is given the logon_role, i currently have in policy assigned to the role:

udp 68 deny

svc dhcp permit

svc dns permit

svc icmp permit

svc natt permit

any any any deny

 

To allow a user login to occur on this machine currently assigned the logon_role what other services or ports need to be allowed in the logion_role/policy

 

Thanks heaps

802.1X happens at L2. Are you talking about a Windows device authenticating to active directory at user login? 

Thats what I thought but when machine authentication occurs it is assigned the logon_role. If a user logs on  the role user_role is assigned when they log off the machine reauthenticates and is given the logon_role again. This process works fine with roles changing as user and machine re authenticate.

 

The problem I am having is when the machine is restarted it is not receiving a role at startup, at this point i can disconnect the ethernet cable and reconnect and a role is then defined. Or if I change the last rule any any any deny in the policy to allow for some reason this works to. This is why i suspect a rule needs to be added to the policy as I am then getting hits on the rule in the firewall.

 

I have changed the machine group policy to wait for network initialisation before login but has not made any difference.

Machine authentication should have an "allow all" role.  That is equivalent to a machine being plugged in via ethernet at the Windows Login prompt.  The user has no rights to do anything interactively, but the machine itself should have to right to do everything, like Windows updates, administrators to open shares, RDP, etc.

Thanks Colin

Have added an allow all rule but the same issue is still there.

When the Win7 client boots it is not assigned a role - Radius indicates that the PC did not match a connection policy.

However if i unplug the ethernet connection and plug in again forcing the network adapter to reset and the PC to re authenticate then it is assigned the logon_role. This doesn't occur 100% of the time but it would be at least 80% over all clients. PC is fully updated and meets all the health requirements they just stumble slightly at startup. Logging in with a user account at this point will assign the user_role and then log off will allow the PC to reauthenticate and it will then pickup the logon_role. Its just not occuring at startup.

Wait...

 

Is this a wired or wireless device?  What is the wired device plugging into?

 

These are wired devices connected to the wired port on a RAP-155

The radius server probably rejected it, because the computer account is a member of the "Domain Computers" AD group.  That group needs to be allowed to successfully authenticate machine-authenticated devices.

You don't need any rules to allow 802.1X authentication. The Rules mostly operates on L3 and 802.1x runs on lower layer.