This comes down in most case to a 'user experience' excercise. If clients have a client certificate or if they don't they have a method to get it, that should not give issues. It's just that if you can automate that process, for example with computer authentication, or auth-failed VLAN, or TEAP authentication (computer+user), it's much easier for the end-user if they are placed in a role/VLAN that (just) permits certificate enrollment, after which a reauthentication can bring the client in a more controlled state.
Your Aruba Partner, or local Aruba SE may be able to advise in your specific case what is possible, or most optimal.
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 14, 2023 04:28 PM
From: cdelarosa
Subject: new wired 802.1x user
Herman i got a question
If we do just user authentication with the dynamic vlan that the client wants, does this bring them any issues?
Knowing that they know they need to have the user certificate first in order to connect to the wired network. They konw that they will need to connect the computer and then log in with the new user so it can get the certificate in a port that does not have 802.1x, at least one time.
After it has his certificate guess there should not have any issue ? or there could be any issue?
Original Message:
Sent: Aug 10, 2023 03:44 AM
From: Herman Robers
Subject: new wired 802.1x user
That's a pretty good summary. Changing VLANs requires the client to re-DHCP and breaks any existing connections like profile downloads/GPO possibly (likely) resulting into a corrupt profile.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 09, 2023 10:26 AM
From: cdelarosa
Subject: new wired 802.1x user
Besides the problem i have changing vlans is not recommened for which reasons? i can think of these
Some supplicants will not manage well this well(it doesnt work like the WIFI that can just get one vlan with the user authentication, it will always get a vlan first on the wired?)
client has GPO for the computer it might break it while downloading beacuse its changing to to the user vlan
If the computer donwload a scripts might break too while changing vlans
Original Message:
Sent: Aug 09, 2023 04:21 AM
From: Herman Robers
Subject: new wired 802.1x user
The recommended settings are:
- Use TEAP (not possible due to Win 7)
- Use computer authentication only (rejected by the customer)
- Avoid VLAN switching (also rejected by the customer)
In that case there are not so much options left. You may be successful with mac authentication fallback (on wired) to still allow network access on a failed user authentication, but that would mean that the computer also needs to be configured to allow network access with failed authentication, and hope that Windows will request the user certificate under that circumstance. Or use a 'first login procedure' via guest/WLAN/dedicated wired port with nonauthenticated access to the domaincontrollers/PKI to retrieve the certificate, but that comes with the cost of reduced end-user experience.
Looks like we are a bit out of options.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 07, 2023 08:00 PM
From: cdelarosa
Subject: new wired 802.1x user
Hello Herman
Okay that doesnt seems to work
If in my supplicant i got user or computer and i have your option it doesnt work
If in my supplicant i got computer authentication only it works, but it will only be on the vlan that the port has or the vlan that i assign with the machine authentication.
I guess i did a lot of test already and i just would like to know your opinion in this knowing this:
1-the client has windows 7 so i cannot use EAP TEAP
2-They want to use vlans segmentation for their own reasons. (ill explain them that its a bad idea already)
The only problem i have is the fallowing:
When new user comes into the company and he needs to authenticate with a port that works in 802.1x. If he could do that but in a non 802.1x port then i would have no issue, the problem im having is that because the user does not have the user certificate because he has not yet logged in that pc he cannot authenticate
I dont find a solution to this
I think the only thing i could do its telling them that they have to log those new users and also OLD laptops that are changing from owners to log in, in a port that does not authenticate with 802.1x, or to configure machine authenticate only on that port and in that port they will have to manually to configure that vlan they need
Do you see any other option? how does big companys over there do it ? at least here some companies just onboard on a non 802.1x port and thats it
But i would like to know which would be the best practice to future reference
Original Message:
Sent: Aug 07, 2023 10:24 AM
From: cdelarosa
Subject: new wired 802.1x user
I was reading more about the option, i could be wrong Herman but This option tells the device to complete a DHCP renewal after a successful user authentication.
The problem here is that i cannot authenticate the user because i will not have user certificate yet, i need i guess to load the user profile in order to download their certificate. IF it true what i said up then the computer wont be able to complete the user authentication so it wont be able to download the certificate.
Let me know what you think
Original Message:
Sent: Aug 07, 2023 10:08 AM
From: cdelarosa
Subject: new wired 802.1x user
Hello Herman
Not too much i can do there, thats how they want to manage it, the department that manage those vlans rules are another one that does not manage the controller, they already have their firewall rules set with the vilans, and want it to stay like that.
Anyways i ll try your solution, which i hope it works as you said you never tried it before
Now i got a question let say the user authenticate with machine and it will always do because thats what it does when you log off and log in windows, and then authenticate the user
If it can authenticate the user it will change the vlan to the user vlan? if it does not authenticate the user it will just leave him on the machine vlan?
Thanks
Original Message:
Sent: Aug 03, 2023 02:47 AM
From: Herman Robers
Subject: new wired 802.1x user
VLAN switching is a bad idea in general, it would be better to change the user role and link your access control to the role instead of to the VLAN.
However, there is under the Advanced Settings an option for Single Sign On with the description 'network uses separate VLANs for machine & user authentication', which may handle your case:
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/c8a5b58eca0240f099d2a6dfdbb9ab0e.png)
Have not tested this, as I avoid VLAN switching whenever possible.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 02, 2023 03:34 PM
From: cdelarosa
Subject: new wired 802.1x user
Hello
I have been trying thise for new users that their profile are not on a computer
If the user belongs to ADgroup X then give VLAN 5
If the user belongs to ADgroup Z then give VLAN 10
Tips roles equals machines authenticated then give the vlan 2
Lets assume that the computer already have a computer certificate but the new user still does not have that user certificate
What is happening is the fallowing:
The new user connect and the profile load and everything but then it takes the computer out of the network. Didnt know that would happen.
What i see on the access tracker is that whenever a user logs in the computer he firts machine authenticate and then user authenticate.. But since the user does not have a user certificate it takes the computer out of the network. To make it works correctly there should be a user and a certificate already on the machine. Note that i dont have in my enforment any AND fule for machine authentication, its just like i showed up. The first policy applies.
The network will have a group policy that will push the users certificate through the AD to all the users
And the process will be like this for new users in the company:
Tech Support join the domain the computer, a domain group policy will push a machine certificate to that computer, all that in a non 802.1x port
Then they give the end user their computer so they can log in. With the computer certificate it will let him connect the AD but im not sure if it will let him download all the profile and the certificates with the GPO before it puts the computer out of the network
Does anyone have an idea? or there is a better way to do it?
Original Message:
Sent: Jul 19, 2023 04:52 AM
From: matchabear
Subject: new wired 802.1x user
Hi,
Here we apply so-called quarantine vlan to get EAP TLS cert and do first time login (kerberos) .. so in that qvlan only allowed certain ports only which are required to do those two tasks (restriction done by firewall)
Original Message:
Sent: 7/14/2023 7:46:00 PM
From: cdelarosa
Subject: new wired 802.1x user
Hello i got a question
We have a client that does this:
The support team join the machine on the AD domain and set the machine.
They create a user and a random password for the user and then they turn off the machine of their account.
They give the new user the machine so they can log in with their new user -and they can change their random password with the new password
Now i face a problem here, and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that
But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network.
I see in the clearpass that it try to connect doing machine authentication instead of using the user and password
And now that i think. I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate
I don tknow how to go around this.
Does the user has to alwasy authenticate the first time without a port wirhtout the 802.1x authentication?
Any ideas of how you all guys do this ?