Security

Reply
Contributor II
Posts: 47
Registered: ‎07-01-2013

Wired 802.1X authentication before login

Hello,

 

We are implementing wired 802.1X with Juniper switches that authenticate ports to ClearPass via RADIUS. Authentication is working and users are getting the right VLAN already.

 

The issue we've encountered, though, is that if a laptop is not logged in, there is no way for a NEW user to sign into the laptop because the port is not authorized. This means they can't download their profile from the AD server. Essentially, this implies that the user must log into the laptop once from a port that doesn't do 802.1X in order to cache the profile. Our objective is to make all ports (or as many as possible) use 802.1X (or MAC authentication for non-.1X capable devices).

 

Does anyone have any suggestions for how to work around this?

 

FYI this environment is >90% MAC OS. All of the Macs are joined to the AD domain, if that matters.

Tim Haynie, ACMX #508, ACDX #384, ACCP, CWSP, CWAP, CWDP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA
Guru Elite
Posts: 8,011
Registered: ‎09-08-2010

Re: Wired 802.1X authentication before login

Are you managing your macs? If so, create a Login Window 1X profile and push it to the clients.


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 81
Registered: ‎05-11-2011

Re: Wired 802.1X authentication before login

Tim, we have exactly the same scenario but with more predominant windows based platforms. Would you mind posting the juniper configs related to the authentication?
Thanks in advance.
MVP
Posts: 4,086
Registered: ‎07-20-2011

Re: Wired 802.1X authentication before login

[ Edited ]

aboj wrote:
Tim, we have exactly the same scenario but with more predominant windows based platforms. Would you mind posting the juniper configs related to the authentication?
Thanks in advance.

See if this helps:

 

JUNIPER SWITCH CONFIG:

RADIUS AUTHENTICATION:

set access radius-server <CLEARPASS-SERVER-IP> secret <SHARED-KEY>

set access radius-server <CLEARPASS-SERVER-IP> source-address <SWITCH-IP>

set access profile <CLEARPASS-PROFILE-NAME> authentication-order radius

set access profile <CLEARPASS-PROFILE-NAME> radius authentication-server <CLEARPASS-SERVER-IP>

 

RADIUS ACCOUNTING:

set access profile <CLEARPASS-PROFILE-NAME> radius accounting-server <CLEARPASS-SERVER-IP>

set access profile <CLEARPASS-PROFILE-NAME>  accounting order radius

set access profile <CLEARPASS-PROFILE-NAME> accounting accounting-stop-on-failure

set access profile <CLEARPASS-PROFILE-NAME> accounting accounting-stop-on-access-deny

set access profile <CLEARPASS-PROFILE-NAME> accounting immediate-update

set access profile <CLEARPASS-PROFILE-NAME> accounting update-interval 12

set access profile <CLEARPASS-PROFILE-NAME> accounting statistics time

 

 

INTERFACE/VLAN CONFIG:

 

Guest VLAN

This is where a nonresponsive supplicant is placed.  Nonresponsive happens because the client does not have the 802.1x supplicant software installed or configured.  They are not trying to attempt any authentication to the network.

Server Reject VLAN

This is where an authentication attempt was made by supplicant or mac address and the authentication failed.

 

VLANS CONFIG:

set vlans FULL-ACCESS-VLAN vlan-id <FULL-ACCESS-VLAN-ID>

set vlans GUEST-VLAN vlan-id <GUEST-VLAN-ID>

 

INTERFACE CONFIG:

set interfaces <INTERFACE-NAME> description "<PORT DESCRIPTION>"

set interfaces <INTERFACE-NAME> unit 0 family ethernet-switching port-mode access

set interfaces <INTERFACE-NAME>unit 0 family ethernet-switching vlan members <VLAN-ID>

set protocols dot1x authenticator authentication-profile-name <CLEARPASS-PROFILE-NAME>

set protocols dot1x authenticator interface <INTERFACE-NAME>supplicant multiple

set protocols dot1x authenticator interface <INTERFACE-NAME>transmit-period 5

set protocols dot1x authenticator interface <INTERFACE-NAME>reauthentication 600

set protocols dot1x authenticator interface <INTERFACE-NAME>server-timeout 3

set protocols dot1x authenticator interface <INTERFACE-NAME> maximum-requests 3

set protocols dot1x authenticator interface <INTERFACE-NAME> server-fail use-cache

set protocols dot1x authenticator interface <INTERFACE-NAME>retries 4

set protocols dot1x authenticator interface <INTERFACE-NAME> server-reject-vlan <REJECT-VLAN-ID>

set protocols dot1x authenticator interface <INTERFACE-NAME> guest-vlan <GUEST-VLAN-ID>

 

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 47
Registered: ‎07-01-2013

Re: Wired 802.1X authentication before login

Unfortunately I don't have access to the Juniper configs as this was configured by another party. I can't even log into that equipment so I need to rely on them for any configuration. I'm also not a Juniper expert so I wouldn't be much help anyway. Hopefully the above post was helpful.

Tim Haynie, ACMX #508, ACDX #384, ACCP, CWSP, CWAP, CWDP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA
Search Airheads
Showing results for 
Search instead for 
Did you mean: