Security

Reply
Occasional Contributor II

802.1x wired initial login and computer policies

I’m looking for some advise on something: how do companies that run 802.1x on an Active Directory domain handle initial logins out at the workstation?  It seems impossible if you don’t already have a profile.  It's a total chicken/egg problem.  We have on-boarding static ports in our helpdesk area, so we can handle things for a while… but we’ll want a solution for doing initial logins out and about.  Like if there's a desktop and we want a new user to login, we can't do that because it doesn't have access to the right networks until post-login.

 

This exact issue is also causing havoc on computer policies that are intended to run right at login.

 

thanks

Guru Elite

Re: 802.1x wired initial login and computer policies

This is done with Windows machine authentication. The computer logs into the network with the computer account at the login screen.. Once a user logs in, it switches to the user's credentials.

Sent from Nine<>

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: 802.1x wired initial login and computer policies

If these are Windows domain workstations you can deploy a group policy to enable the Wired Auth Windows service and also to configure the wired profile to do Computer or User authentication .

When you enable computer auth it allows you to do Machine authentication before the user login .

What are you using for RADIUS ?

Sent from Outlook for iPhone
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: 802.1x wired initial login and computer policies

Ahhhh... okay.  That makes total sense.  I wonder how much I'd have to tweak my CPPM policy to allow machine auth.  I'll start doing some research.  Not sure if it can be added to my already working user-auth service or if it's a new service.

 

My wired services looks like this ATM:

tr1-service.jpg

Re: 802.1x wired initial login and computer policies

Not a lot of work on the ClearPass of it is already joined to the domain
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/td-p/208471

https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx


Sent from Outlook for iPhone
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: 802.1x wired initial login and computer policies

Just add tips role equals [Machine Authenticated] and your access policy.

Sent from Nine<>

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 802.1x wired initial login and computer policies

I'm just a bit confused because the computer is sending it's MAC address and falling into my EAP-MD5 static-host-list rules.  I expected it to be sending the computer's name.

 

tr1-request.jpg

Re: 802.1x wired initial login and computer policies

Are you doing Mac bypass on your switch ?



Sent from Outlook for iPhone
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: 802.1x wired initial login and computer policies

You should separate those out into two services.

Is the client configured correctly?

Sent from Nine<>

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 802.1x wired initial login and computer policies

Yeah, totally.  I'll make it two services.  If machine-auth, let it into my "walled garden" VLAN that can just hit AD and ClearPass... allowing me to do "on-net" logins.  Then once it gets into Windows it should flip over to user-auth, at least that's my understanding of this all.  Not sure if I'd have to do a CoA?

 

My switch 802.1x config looks like such:

authenticator {
authentication-profile-name ClearPass;
interface {
User-Access {
supplicant multiple;
transmit-period 5;
mac-radius;
reauthentication 600;
server-timeout 3;
maximum-requests 3;
guest-vlan CP-INITIAL;
server-fail use-cache;
}
}
}

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: