Security

 View Only
last person joined: 13 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

802.1x with RDP

This thread has been viewed 20 times
  • 1.  802.1x with RDP

    Posted Nov 02, 2021 10:02 AM
    Dear airheads community,
    I'm facing one complication, I think it's not bug but it's feature. On Windows 10 PCs I have configured 802.1x authentication with machine or user authentication. There are separated VLANs and roles for machines withnout logged users and with logged users. But when I connect to the machine with RDP, machine stays in the machine auth VLAN and role with its restrictions. So, RDP users have limited access to the network.

    Is there someone who solved that problem?

    Thanks and best regards

    Vaclav

    ------------------------------
    Vaclav Hauser
    ------------------------------


  • 2.  RE: 802.1x with RDP

    EMPLOYEE
    Posted Nov 02, 2021 11:38 AM
    I am of the opinion that a machine authenticated device should have full access to the network, just like it would if it was wired.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: 802.1x with RDP

    Posted Apr 28, 2022 12:48 PM

    I know this is a bit of an old thread, so perhaps you already figured this out but I'm in the process of working the same thing, so I thought I would share what I have found.

    In testing, I set up Win10 workstations with 802.1x settings for "Computer or User Authentication". 

    I have found that an RDP connection will trigger the computer to move to the "Computer Authentication" context. So, if nobody is logged in, but the computer has successfully authenticated to the network with 802.1x, then the RDP session will succeed, but the VLAN assignment will not change. As far as Clearpass/Switch are concerned, the computer is still logged in as the Computer account, not the user.

    If a user is already logged in, even if it's the same user, upon RDP connect the session will be dropped because the computer shifts back to Computer Authentication, and the VLAN changes back to the appropriate VLAN for the Computer authentication portion.

    With the Covid pandemic still a thing, a lot of us are still in a hybrid work mode, (we use a secure RDP gateway for our remote workers, as opposed to VPN,) this obviously requires some additional planning / consideration.

    In our case, we are going to use Clearpass to sort of make a special set of "Remote Worker" machines that stay natively in the same VLAN as the worker is expected to be in when they log in. This should prevent the VLAN shift that we have seen. It's not ideal, but we're working on restricting the users who may log into a computer by using the Windows Active Directory infrastructure, rather than doing it from the network side. Hope this helps you (or whomever finds this).

    Reference:  https://www.ise-support.com/2019/02/05/windows-rdp-and-802-1x-authentications/

    Tech notes about our setup:

    - Clearpass version 6.10.3

    - Aruba 5400R series switches running KB.16.05.007



    ------------------------------
    Dan Scherck
    ------------------------------