I know this is a bit of an old thread, so perhaps you already figured this out but I'm in the process of working the same thing, so I thought I would share what I have found.
In testing, I set up Win10 workstations with 802.1x settings for "Computer or User Authentication".
I have found that an RDP connection will trigger the computer to move to the "Computer Authentication" context. So, if nobody is logged in, but the computer has successfully authenticated to the network with 802.1x, then the RDP session will succeed, but the VLAN assignment will not change. As far as Clearpass/Switch are concerned, the computer is still logged in as the Computer account, not the user.
If a user is already logged in, even if it's the same user, upon RDP connect the session will be dropped because the computer shifts back to Computer Authentication, and the VLAN changes back to the appropriate VLAN for the Computer authentication portion.
With the Covid pandemic still a thing, a lot of us are still in a hybrid work mode, (we use a secure RDP gateway for our remote workers, as opposed to VPN,) this obviously requires some additional planning / consideration.
In our case, we are going to use Clearpass to sort of make a special set of "Remote Worker" machines that stay natively in the same VLAN as the worker is expected to be in when they log in. This should prevent the VLAN shift that we have seen. It's not ideal, but we're working on restricting the users who may log into a computer by using the Windows Active Directory infrastructure, rather than doing it from the network side. Hope this helps you (or whomever finds this).
Reference: https://www.ise-support.com/2019/02/05/windows-rdp-and-802-1x-authentications/
Tech notes about our setup:
- Clearpass version 6.10.3
- Aruba 5400R series switches running KB.16.05.007
------------------------------
Dan Scherck
------------------------------
Original Message:
Sent: Nov 02, 2021 10:02 AM
From: Vaclav Hauser
Subject: 802.1x with RDP
Dear airheads community,
I'm facing one complication, I think it's not bug but it's feature. On Windows 10 PCs I have configured 802.1x authentication with machine or user authentication. There are separated VLANs and roles for machines withnout logged users and with logged users. But when I connect to the machine with RDP, machine stays in the machine auth VLAN and role with its restrictions. So, RDP users have limited access to the network.
Is there someone who solved that problem?
Thanks and best regards
Vaclav
------------------------------
Vaclav Hauser
------------------------------