Hello i got a question
We have a client that does this:
The support team join the machine on the AD domain and set the machine.
They create a user and a random password for the user and then they turn off the machine of their account.
They give the new user the machine so they can log in with their new user -and they can change their random password with the new password
Now i face a problem here, and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that
But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network.
I see in the clearpass that it try to connect doing machine authentication instead of using the user and password
And now that i think. I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate
I don tknow how to go around this.
Does the user has to alwasy authenticate the first time without a port wirhtout the 802.1x authentication?
Any ideas of how you all guys do this ?
With EAP-TLS or EAP-PEAP, the most used method is to switch to computer-only authentication.
If you need user authentication, then TEAP may be a good method to use. It combines computer and user authentication in the same 'authentication transaction' and would allow scenarios where the user or computer authentication can even fail, and the computer can still be connected and placed in the correct VLAN/role to reflect that authentication status. Here is a video that explains TEAP based on EAP-TLS.
Thanks for your answer guys
Ahollifield that could be a solution yes but i need that the machine authenticates but not only that, they need to be send an specific vlan
Herman, thanks for your answer, i was about to do what you said, but the client has windows 7, as i could see on your video we need windows 10 for TEAP to work
So it seems that the only option i have is the machine authentication
right now i have on the enforment something simple for testing
If the user belongs to ADgroup X then give VLAN 5
If the user belongs to ADgroup Z then give VLAN 10
Tips roles equals machines authenticated then give the vlan 2
The first that applys is used
It SEEMS to work. It authenticated with machine then it authenticated with the user
On the windows 10 i have user or machine option selected.
Im not sure if i should be using
If the user belongs to ADgroup X AND machine authenticate then give VLAN 5
If the user belongs to ADgroup Z AND machine authenticate then give VLAN 10
Not sure if that will work (ill try that today)
Herman if you think any of those will give trouble please let me know , and what could be the best way to do it
I cannot only machine authenticate because as i said the user needs to go to an specific vlan after authenticating
Windows 7? I think the client has MUCH bigger security concerns than VLAN based segmentation...
That should work fine, it's just that the discussion started with the point that user authentication was not possible (chicken-egg problem) for users that had not authenticated before on the client, or don't have a user certificate.
You may also try to use a 'authentication failed vlan' or 'authentication failed role', which does allow access to the AD infrastructure and other required services that you trust access to for unauthenticated clients. Through that access the client can change password, get the user certificate enrolled, or perform other prerequisites. It's not ideal, but that is why (at least before TEAP was introduced) many customers fallback to computer only authentication. But if that is not acceptable, this strategy may work.
Switch to EAP-TLS with machine certificates (machine authentication). Enroll the machine certificate onto the PC when the device the built at the port with 802.1X disabled.