Security

last person joined: 7 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Wired 802.1X authentication before login

This thread has been viewed 0 times
  • 1.  Wired 802.1X authentication before login

    Posted Feb 20, 2015 10:00 PM

    Hello,

     

    We are implementing wired 802.1X with Juniper switches that authenticate ports to ClearPass via RADIUS. Authentication is working and users are getting the right VLAN already.

     

    The issue we've encountered, though, is that if a laptop is not logged in, there is no way for a NEW user to sign into the laptop because the port is not authorized. This means they can't download their profile from the AD server. Essentially, this implies that the user must log into the laptop once from a port that doesn't do 802.1X in order to cache the profile. Our objective is to make all ports (or as many as possible) use 802.1X (or MAC authentication for non-.1X capable devices).

     

    Does anyone have any suggestions for how to work around this?

     

    FYI this environment is >90% MAC OS. All of the Macs are joined to the AD domain, if that matters.



  • 2.  RE: Wired 802.1X authentication before login

    Posted Feb 20, 2015 10:03 PM
    Are you managing your macs? If so, create a Login Window 1X profile and push it to the clients.


    Thanks, 
    Tim


  • 3.  RE: Wired 802.1X authentication before login

    Posted Feb 21, 2015 09:57 AM
    Tim, we have exactly the same scenario but with more predominant windows based platforms. Would you mind posting the juniper configs related to the authentication?
    Thanks in advance.


  • 4.  RE: Wired 802.1X authentication before login

    Posted Feb 22, 2015 11:43 AM

    @aboj wrote:
    Tim, we have exactly the same scenario but with more predominant windows based platforms. Would you mind posting the juniper configs related to the authentication?
    Thanks in advance.

    See if this helps:

     

    JUNIPER SWITCH CONFIG:

    RADIUS AUTHENTICATION:

    set access radius-server <CLEARPASS-SERVER-IP> secret <SHARED-KEY>

    set access radius-server <CLEARPASS-SERVER-IP> source-address <SWITCH-IP>

    set access profile <CLEARPASS-PROFILE-NAME> authentication-order radius

    set access profile <CLEARPASS-PROFILE-NAME> radius authentication-server <CLEARPASS-SERVER-IP>

     

    RADIUS ACCOUNTING:

    set access profile <CLEARPASS-PROFILE-NAME> radius accounting-server <CLEARPASS-SERVER-IP>

    set access profile <CLEARPASS-PROFILE-NAME>  accounting order radius

    set access profile <CLEARPASS-PROFILE-NAME> accounting accounting-stop-on-failure

    set access profile <CLEARPASS-PROFILE-NAME> accounting accounting-stop-on-access-deny

    set access profile <CLEARPASS-PROFILE-NAME> accounting immediate-update

    set access profile <CLEARPASS-PROFILE-NAME> accounting update-interval 12

    set access profile <CLEARPASS-PROFILE-NAME> accounting statistics time

     

     

    INTERFACE/VLAN CONFIG:

     

    Guest VLAN

    This is where a nonresponsive supplicant is placed.  Nonresponsive happens because the client does not have the 802.1x supplicant software installed or configured.  They are not trying to attempt any authentication to the network.

    Server Reject VLAN

    This is where an authentication attempt was made by supplicant or mac address and the authentication failed.

     

    VLANS CONFIG:

    set vlans FULL-ACCESS-VLAN vlan-id <FULL-ACCESS-VLAN-ID>

    set vlans GUEST-VLAN vlan-id <GUEST-VLAN-ID>

     

    INTERFACE CONFIG:

    set interfaces <INTERFACE-NAME> description "<PORT DESCRIPTION>"

    set interfaces <INTERFACE-NAME> unit 0 family ethernet-switching port-mode access

    set interfaces <INTERFACE-NAME>unit 0 family ethernet-switching vlan members <VLAN-ID>

    set protocols dot1x authenticator authentication-profile-name <CLEARPASS-PROFILE-NAME>

    set protocols dot1x authenticator interface <INTERFACE-NAME>supplicant multiple

    set protocols dot1x authenticator interface <INTERFACE-NAME>transmit-period 5

    set protocols dot1x authenticator interface <INTERFACE-NAME>reauthentication 600

    set protocols dot1x authenticator interface <INTERFACE-NAME>server-timeout 3

    set protocols dot1x authenticator interface <INTERFACE-NAME> maximum-requests 3

    set protocols dot1x authenticator interface <INTERFACE-NAME> server-fail use-cache

    set protocols dot1x authenticator interface <INTERFACE-NAME>retries 4

    set protocols dot1x authenticator interface <INTERFACE-NAME> server-reject-vlan <REJECT-VLAN-ID>

    set protocols dot1x authenticator interface <INTERFACE-NAME> guest-vlan <GUEST-VLAN-ID>

     

     

     



  • 5.  RE: Wired 802.1X authentication before login

    Posted Feb 23, 2015 02:32 PM

    Unfortunately I don't have access to the Juniper configs as this was configured by another party. I can't even log into that equipment so I need to rely on them for any configuration. I'm also not a Juniper expert so I wouldn't be much help anyway. Hopefully the above post was helpful.