I'm building 802.1x for wired authentication in a Cisco environment. For machines already joined to the domain, with an established user account (cert) on the machine, everything works great. The machine is placed in the correct VLAN for the user, based on role.
If I connect a domain-joined machine before logging in, machine authentication works, and the port is placed in the correct access VLAN. If a new user without a local profile and cert then tries to log in, it can't contact the domain to build the new user profile.
We have a lot of DC's, so I'd rather not add them all to the default port ACL in the switchports. Is there a document that covers allowing machine-authenticated computers to communicate with AD to build the profile, and then (I would assume) cause a re-auth in 802.1x?
You need a process for provisioning these devices. SInce there is no cert, for Machine Auth, you can probably use EAP-PEAP MSCHAPv2 using Machine auth. If that is succesful (assuming PC is joined to the domain it will) you can grant access to these PCs based on the Auth Method used to a DC from where it will download it's cert and profile. Once done, it can then authenticate successfully using EAP-TLS. If that is not an option, you will have to allow access based on whitelisting MAC addresses, or have a separate open port at IT helpdesk for provisioning.
These machines are provisioned, and machine auth is working. It's the new user logging into the workstation that's failing. Can you elaborate on granting AD access based on auth method? This sounds like exactly what I'm after.
Are you talking about the switch user-scenario?
While doing so, the machine would still be on the network, i am sorry but i don't understand why would it not have access to the domain controller to login in that scenario?
Have you selected User or Computer Auth?
it's configured per the "ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01" document.If I connect my AD laptop to a port, it gets machine auth, and placed into an access VLAN. When I log in, it re-auths, and moves to an IT VLAN, because I'm in that AD group.But when I log off it goes back to machine auth. A new user, with no local profile, can't log in as the machine can't reach the domain controllers.
The ethernet interface 802.1x config on the computer is set to user or computer authentication.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.