Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

AD access after machine auth (Cisco wired 802.1x)

This thread has been viewed 2 times

  • 1.  AD access after machine auth (Cisco wired 802.1x)

    Posted Sep 24, 2019 04:58 PM

    I'm building 802.1x for wired authentication in a Cisco environment. For machines already joined to the domain, with an established user account (cert) on the machine, everything works great. The machine is placed in the correct VLAN for the user, based on role.

    If I connect a domain-joined machine before logging in, machine authentication works, and the port is placed in the correct access VLAN. If a new user without a local profile and cert then tries to log in, it can't contact the domain to build the new user profile.

    We have a lot of DC's, so I'd rather not add them all to the default port ACL in the switchports. Is there a document that covers allowing machine-authenticated computers to communicate with AD to build the profile, and then (I would assume) cause a re-auth in 802.1x?

     

     



  • 2.  RE: AD access after machine auth (Cisco wired 802.1x)

    EMPLOYEE
    Posted Sep 24, 2019 11:58 PM

    You need a process for provisioning these devices. SInce there is no cert, for Machine Auth, you can probably use EAP-PEAP MSCHAPv2 using Machine auth. If that is succesful (assuming PC is joined to the domain it will) you can grant access to these PCs based on the Auth Method used to a DC from where it will download it's cert and profile. Once done, it can then authenticate successfully using EAP-TLS. If that is not an option, you will have to allow access based on whitelisting MAC addresses, or have a separate open port at IT helpdesk for provisioning. 



  • 3.  RE: AD access after machine auth (Cisco wired 802.1x)

    Posted Sep 25, 2019 09:02 AM

    Thanks arpitb.

    These machines are provisioned, and machine auth is working. It's the new user logging into the workstation that's failing. Can you elaborate on granting AD access based on auth method? This sounds like exactly what I'm after. 



  • 4.  RE: AD access after machine auth (Cisco wired 802.1x)

    EMPLOYEE
    Posted Sep 25, 2019 09:44 AM

    Are you talking about the switch user-scenario?

     

    While doing so, the machine would still be on the network, i am sorry but i don't understand why would it not have access to the domain controller to login in that scenario?

     

    Have you selected User or Computer Auth?



  • 5.  RE: AD access after machine auth (Cisco wired 802.1x)

    Posted Sep 25, 2019 09:58 AM

    it's configured per the "ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01" document.
    If I connect my AD laptop to a port, it gets machine auth, and placed into an access VLAN. When I log in, it re-auths, and moves to an IT VLAN, because I'm in that AD group.
    But when I log off it goes back to machine auth. A new user, with no local profile, can't log in as the machine can't reach the domain controllers.

    The ethernet interface 802.1x config on the computer is set to user or computer authentication.