Network Management

Reply
Occasional Contributor II
Posts: 16
Registered: ‎04-13-2016

What rules are required in the logon_role to enable 802.1x authentication

I am using 802.1x authentication with roles derived from a radius server.I have 3x roles:

logon_role

user_role

quarantine_role

User and quarantine are user based roles and depending on health check and group access etc are approved access on the network or denied and fall into the quarantine network.

The login role is for the machine when authenticated it is given the logon_role, i currently have in policy assigned to the role:

udp 68 deny

svc dhcp permit

svc dns permit

svc icmp permit

svc natt permit

any any any deny

 

To allow a user login to occur on this machine currently assigned the logon_role what other services or ports need to be allowed in the logion_role/policy

 

Thanks heaps

Guru Elite
Posts: 8,324
Registered: ‎09-08-2010

Re: What rules are required in the logon_role to enable 802.1x authentication

802.1X happens at L2. Are you talking about a Windows device authenticating to active directory at user login? 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba Employee
Posts: 148
Registered: ‎11-25-2009

Re: What rules are required in the logon_role to enable 802.1x authentication

You don't need any rules to allow 802.1X authentication. The Rules mostly operates on L3 and 802.1x runs on lower layer. 

Vinod Kumaar AVM ACMX, ACDX
Principal Network Engineer
Customer Advocacy | Aruba Networks Inc.

Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Occasional Contributor II
Posts: 16
Registered: ‎04-13-2016

Re: What rules are required in the logon_role to enable 802.1x authentication

Thats what I thought but when machine authentication occurs it is assigned the logon_role. If a user logs on  the role user_role is assigned when they log off the machine reauthenticates and is given the logon_role again. This process works fine with roles changing as user and machine re authenticate.

 

The problem I am having is when the machine is restarted it is not receiving a role at startup, at this point i can disconnect the ethernet cable and reconnect and a role is then defined. Or if I change the last rule any any any deny in the policy to allow for some reason this works to. This is why i suspect a rule needs to be added to the policy as I am then getting hits on the rule in the firewall.

 

I have changed the machine group policy to wait for network initialisation before login but has not made any difference.

Guru Elite
Posts: 20,788
Registered: ‎03-29-2007

Re: What rules are required in the logon_role to enable 802.1x authentication

Machine authentication should have an "allow all" role.  That is equivalent to a machine being plugged in via ethernet at the Windows Login prompt.  The user has no rights to do anything interactively, but the machine itself should have to right to do everything, like Windows updates, administrators to open shares, RDP, etc.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎04-13-2016

Re: What rules are required in the logon_role to enable 802.1x authentication

Thanks Colin

Have added an allow all rule but the same issue is still there.

When the Win7 client boots it is not assigned a role - Radius indicates that the PC did not match a connection policy.

However if i unplug the ethernet connection and plug in again forcing the network adapter to reset and the PC to re authenticate then it is assigned the logon_role. This doesn't occur 100% of the time but it would be at least 80% over all clients. PC is fully updated and meets all the health requirements they just stumble slightly at startup. Logging in with a user account at this point will assign the user_role and then log off will allow the PC to reauthenticate and it will then pickup the logon_role. Its just not occuring at startup.

Guru Elite
Posts: 20,788
Registered: ‎03-29-2007

Re: What rules are required in the logon_role to enable 802.1x authentication

Wait...

 

Is this a wired or wireless device?  What is the wired device plugging into?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 16
Registered: ‎04-13-2016

Re: What rules are required in the logon_role to enable 802.1x authentication

These are wired devices connected to the wired port on a RAP-155

Guru Elite
Posts: 20,788
Registered: ‎03-29-2007

Re: What rules are required in the logon_role to enable 802.1x authentication

The radius server probably rejected it, because the computer account is a member of the "Domain Computers" AD group.  That group needs to be allowed to successfully authenticate machine-authenticated devices.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: