04-23-2012 07:51 AM
If I enforce machine authentication, the does mean I make sure this part of DOT1X is honored before user authentication right?
I ask this as it works great for Windows, but when I boot up into Linux, I disable cert check and use domain user id and password I get straight in.
I don't have a proper PKI yet - but will do so soon (big job), in the meantime - anyone used device fingerprinting to Identify a non windows machine and stop it from using PEAP-MSCHAPv2?
Thing is, the real troublemakers are going to be running linux I would think (esp. backtrack)
Also the auth type is "8021x-User" and not "802.1x" - anyway of taking advantage of this categorization?
Thanks a mill
04-23-2012 09:21 AM
You can definitely take advantage of the "enforce machine auth" knob. If a client tries to use his or her credentials WITHOUT first passing machine authentication (which would happen on Linux, Android, non-domain joined Windows machines, MacOS (assuming you haven't joined it to the domain), etc.) the client will be placed into the "machine authentication: default user role" under the dot1x profile. If the client passes machine authentication, it will be placed in the "machine authentication: default machine role". The clients that don't do machine authentication COULD be placed into a guest role. Clients that pass machine auth and are waiting for user auth COULD be placed into a role that only lets them talk to the domain controllers and other necessary servers.
The only issue you might encounter is the cache timeout. When a client successfully machine auth's, the controller caches that MAC address for the configured time. If the client doesn't perform a machine auth (which Windows only does on login and logout) during the cache timer, the controller deletes that MAC address. If the client then tries to reauthenticate (without a login/logout), they will be placed into the "machine authentication: default user role" (since no machine auth was cached). This can cause issues for valid users that come out of hibernate or sleep mode, undock from a wired connection, or turn their WLAN NIC on AFTER login.
04-23-2012 10:27 AM
Great explanation. Given this is my first install of a measly 2000 users, I am going to side on the security. As for wake up and switching off, well, I guess a "please ask user to reboot" will sort that out. Which is what our HelpDesk say anyway.
What's your view on cache timeout length?
04-23-2012 11:13 AM
The cache time out is 24 hours by default. That, to me, is too short. BUT, you have to weigh the security risk against the users frustration.
I think the timeout should be 3-4 days. That way, a long weekend wont cause the cache to expire (assuming people reboot every day). There is a way to do this with "netsh" commands (for the machine to reauth), but I am not much of a server or client expert, so I can't help with that (but I know it can be done).
04-23-2012 12:01 PM