Security

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

With EAP-TLS or EAP-PEAP, the most used method is to switch to computer-only authentication.

If you need user authentication, then TEAP may be a good method to use. It combines computer and user authentication in the same 'authentication transaction' and would allow scenarios where the user or computer authentication can even fail, and the computer can still be connected and placed in the correct VLAN/role to reflect that authentication status. Here is a video that explains TEAP based on EAP-TLS.

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

Hello 

Thanks for your answer guys

Ahollifield that could be a solution yes but i need that the machine authenticates but not only that, they need to be send an specific vlan

Herman, thanks for your answer, i was about to do what you said, but the client has windows 7, as i could see on your video we need windows 10 for TEAP to work 

So it seems that the only option i have is the machine authentication

right now i have on the enforment something simple for testing

If the user belongs to ADgroup X then give VLAN 5

If the user belongs to ADgroup Z then give VLAN 10

Tips roles equals machines authenticated then give the vlan 2

The first that applys is used 

It SEEMS to work.  It authenticated with machine then it authenticated with the user 

On the windows 10 i have user or machine option selected.

Im not sure if i should be using 

If the user belongs to ADgroup X AND machine authenticate then give VLAN 5

If the user belongs to ADgroup Z AND machine authenticate then give VLAN 10

Not  sure if that will work (ill try that today)

Herman if you think any of those will give trouble please let me know , and what could be the best way to do it

I cannot only machine authenticate because as i said the user needs to go to an specific vlan after authenticating

With EAP-TLS or EAP-PEAP, the most used method is to switch to computer-only authentication.

If you need user authentication, then TEAP may be a good method to use. It combines computer and user authentication in the same 'authentication transaction' and would allow scenarios where the user or computer authentication can even fail, and the computer can still be connected and placed in the correct VLAN/role to reflect that authentication status. Here is a video that explains TEAP based on EAP-TLS.

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

Hello 

Thanks for your answer guys

Ahollifield that could be a solution yes but i need that the machine authenticates but not only that, they need to be send an specific vlan

Herman, thanks for your answer, i was about to do what you said, but the client has windows 7, as i could see on your video we need windows 10 for TEAP to work 

So it seems that the only option i have is the machine authentication

right now i have on the enforment something simple for testing

If the user belongs to ADgroup X then give VLAN 5

If the user belongs to ADgroup Z then give VLAN 10

Tips roles equals machines authenticated then give the vlan 2

The first that applys is used 

It SEEMS to work.  It authenticated with machine then it authenticated with the user 

On the windows 10 i have user or machine option selected.

Im not sure if i should be using 

If the user belongs to ADgroup X AND machine authenticate then give VLAN 5

If the user belongs to ADgroup Z AND machine authenticate then give VLAN 10

Not  sure if that will work (ill try that today)

Herman if you think any of those will give trouble please let me know , and what could be the best way to do it

I cannot only machine authenticate because as i said the user needs to go to an specific vlan after authenticating

With EAP-TLS or EAP-PEAP, the most used method is to switch to computer-only authentication.

If you need user authentication, then TEAP may be a good method to use. It combines computer and user authentication in the same 'authentication transaction' and would allow scenarios where the user or computer authentication can even fail, and the computer can still be connected and placed in the correct VLAN/role to reflect that authentication status. Here is a video that explains TEAP based on EAP-TLS.

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

Switch to EAP-TLS with machine certificates (machine authentication).  Enroll the machine certificate onto the PC when the device the built at the port with 802.1X disabled.

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

Hello 

I have been trying thise for new users  that their profile are not on a computer 

If the user belongs to ADgroup X then give VLAN 5

If the user belongs to ADgroup Z then give VLAN 10

Tips roles equals machines authenticated then give the vlan 2

Lets assume that the computer already have a computer certificate but the new user still does not have that user certificate

What is happening is the fallowing:

The new user connect and the profile load and everything but then it takes the computer out of the network.  Didnt know that would happen.  

What i see on the access tracker is that whenever a user logs in the computer he firts machine authenticate and then user authenticate..  But since the user does not have a user certificate it takes the computer out of the network.  To make it works correctly there should be a user and a certificate already on the machine. Note that i dont have in my enforment any AND fule for machine authentication, its just like i showed up.  The first policy applies.

The network will have a group policy that will push the users certificate through the AD to all the users 

And the process will be like this for new users in the company: 

Tech Support join the domain the computer, a domain group policy will push a machine certificate to that computer, all that in a non 802.1x port

Then they give the end user their computer so they can log in.  With the computer certificate it will let him connect the AD but im not sure if it will let him download all the profile and the certificates with the GPO before it puts the computer out of the network

Does anyone have an idea?  or there is a better way to do it?

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

VLAN switching is a bad idea in general, it would be better to change the user role and link your access control to the role instead of to the VLAN.

However, there is under the Advanced Settings an option for Single Sign On with the description 'network uses separate VLANs for machine & user authentication', which may handle your case:

Have not tested this, as I avoid VLAN switching whenever possible.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 02, 2023 03:34 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello 

I have been trying thise for new users  that their profile are not on a computer 

If the user belongs to ADgroup X then give VLAN 5

If the user belongs to ADgroup Z then give VLAN 10

Tips roles equals machines authenticated then give the vlan 2

Lets assume that the computer already have a computer certificate but the new user still does not have that user certificate

What is happening is the fallowing:

The new user connect and the profile load and everything but then it takes the computer out of the network.  Didnt know that would happen.  

What i see on the access tracker is that whenever a user logs in the computer he firts machine authenticate and then user authenticate..  But since the user does not have a user certificate it takes the computer out of the network.  To make it works correctly there should be a user and a certificate already on the machine. Note that i dont have in my enforment any AND fule for machine authentication, its just like i showed up.  The first policy applies.

The network will have a group policy that will push the users certificate through the AD to all the users 

And the process will be like this for new users in the company: 

Tech Support join the domain the computer, a domain group policy will push a machine certificate to that computer, all that in a non 802.1x port

Then they give the end user their computer so they can log in.  With the computer certificate it will let him connect the AD but im not sure if it will let him download all the profile and the certificates with the GPO before it puts the computer out of the network

Does anyone have an idea?  or there is a better way to do it?

Original Message:
Sent: Jul 19, 2023 04:52 AM
From: matchabear
Subject: new wired 802.1x user

Original Message:
Sent: 7/14/2023 7:46:00 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

Hello Herman

Not too much i can do there, thats how they want to manage it, the department that manage those vlans rules are another one that does not manage the controller, they already have their firewall rules set with the vilans, and want it to stay like that.

Anyways i ll try your solution, which i hope it works as you said you never tried it before

Now i got a question let say the user authenticate with machine and it will always do because thats what it does when you log off and log in windows, and then authenticate the user

If it can authenticate the user it will change the vlan to the user vlan? if it does not authenticate the user it will just leave him on the machine vlan?

Thanks

Original Message:
Sent: Aug 03, 2023 02:47 AM
From: Herman Robers
Subject: new wired 802.1x user

VLAN switching is a bad idea in general, it would be better to change the user role and link your access control to the role instead of to the VLAN.

However, there is under the Advanced Settings an option for Single Sign On with the description 'network uses separate VLANs for machine & user authentication', which may handle your case:

Have not tested this, as I avoid VLAN switching whenever possible.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 02, 2023 03:34 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello 

I have been trying thise for new users  that their profile are not on a computer 

If the user belongs to ADgroup X then give VLAN 5

If the user belongs to ADgroup Z then give VLAN 10

Tips roles equals machines authenticated then give the vlan 2

Lets assume that the computer already have a computer certificate but the new user still does not have that user certificate

What is happening is the fallowing:

The new user connect and the profile load and everything but then it takes the computer out of the network.  Didnt know that would happen.  

What i see on the access tracker is that whenever a user logs in the computer he firts machine authenticate and then user authenticate..  But since the user does not have a user certificate it takes the computer out of the network.  To make it works correctly there should be a user and a certificate already on the machine. Note that i dont have in my enforment any AND fule for machine authentication, its just like i showed up.  The first policy applies.

The network will have a group policy that will push the users certificate through the AD to all the users 

And the process will be like this for new users in the company: 

Tech Support join the domain the computer, a domain group policy will push a machine certificate to that computer, all that in a non 802.1x port

Then they give the end user their computer so they can log in.  With the computer certificate it will let him connect the AD but im not sure if it will let him download all the profile and the certificates with the GPO before it puts the computer out of the network

Does anyone have an idea?  or there is a better way to do it?

Original Message:
Sent: Jul 19, 2023 04:52 AM
From: matchabear
Subject: new wired 802.1x user

Original Message:
Sent: 7/14/2023 7:46:00 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

I was reading more about the option, i could be wrong Herman but This option tells the device to complete a DHCP renewal after a successful user authentication.

The problem here is that i cannot authenticate the user because i will not have user certificate yet, i need i guess to load the user profile in order to download their certificate.   IF it true what i said up then the computer wont be able to complete the user authentication so it wont be able to download the certificate.

Let me know what you think 

Hello Herman

Not too much i can do there, thats how they want to manage it, the department that manage those vlans rules are another one that does not manage the controller, they already have their firewall rules set with the vilans, and want it to stay like that.

Anyways i ll try your solution, which i hope it works as you said you never tried it before

Now i got a question let say the user authenticate with machine and it will always do because thats what it does when you log off and log in windows, and then authenticate the user

If it can authenticate the user it will change the vlan to the user vlan? if it does not authenticate the user it will just leave him on the machine vlan?

Thanks

Original Message:
Sent: Aug 03, 2023 02:47 AM
From: Herman Robers
Subject: new wired 802.1x user

VLAN switching is a bad idea in general, it would be better to change the user role and link your access control to the role instead of to the VLAN.

However, there is under the Advanced Settings an option for Single Sign On with the description 'network uses separate VLANs for machine & user authentication', which may handle your case:

Have not tested this, as I avoid VLAN switching whenever possible.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 02, 2023 03:34 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello 

I have been trying thise for new users  that their profile are not on a computer 

If the user belongs to ADgroup X then give VLAN 5

If the user belongs to ADgroup Z then give VLAN 10

Tips roles equals machines authenticated then give the vlan 2

Lets assume that the computer already have a computer certificate but the new user still does not have that user certificate

What is happening is the fallowing:

The new user connect and the profile load and everything but then it takes the computer out of the network.  Didnt know that would happen.  

What i see on the access tracker is that whenever a user logs in the computer he firts machine authenticate and then user authenticate..  But since the user does not have a user certificate it takes the computer out of the network.  To make it works correctly there should be a user and a certificate already on the machine. Note that i dont have in my enforment any AND fule for machine authentication, its just like i showed up.  The first policy applies.

The network will have a group policy that will push the users certificate through the AD to all the users 

And the process will be like this for new users in the company: 

Tech Support join the domain the computer, a domain group policy will push a machine certificate to that computer, all that in a non 802.1x port

Then they give the end user their computer so they can log in.  With the computer certificate it will let him connect the AD but im not sure if it will let him download all the profile and the certificates with the GPO before it puts the computer out of the network

Does anyone have an idea?  or there is a better way to do it?

Original Message:
Sent: Jul 19, 2023 04:52 AM
From: matchabear
Subject: new wired 802.1x user

Original Message:
Sent: 7/14/2023 7:46:00 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

Hello Herman

Okay that doesnt seems to work 

If in my supplicant i got user or computer and i have your option  it doesnt work

If in my supplicant i got computer authentication only it works, but it will only be on the vlan that the port has  or the vlan that i assign with the machine authentication.

I guess i did a lot of test already and i just would like to know your opinion in this knowing this:

1-the client has windows 7 so i cannot use EAP TEAP

2-They want to use vlans segmentation for their own reasons. (ill explain them that its a bad idea already)

The only problem i have is the fallowing:

When new user comes into the company and he needs to authenticate with a port that works in 802.1x.  If he could do that but in a non 802.1x port then i would have no issue, the problem im having is that because the user does not have the user certificate because he has not yet logged in that pc he cannot authenticate

I dont find a solution to this

I think the only thing i could do its telling them that they have to log those new users and also OLD laptops that are changing from owners to log in, in a port that does not authenticate with 802.1x, or to configure machine authenticate only on that port and in that port they will have to manually to configure that vlan they need

Do you see any other option? how does big companys over there do it ? at least here some companies just onboard on a non 802.1x port and thats it

But i would like to know which would be the best practice to future reference  

I was reading more about the option, i could be wrong Herman but This option tells the device to complete a DHCP renewal after a successful user authentication.

The problem here is that i cannot authenticate the user because i will not have user certificate yet, i need i guess to load the user profile in order to download their certificate.   IF it true what i said up then the computer wont be able to complete the user authentication so it wont be able to download the certificate.

Let me know what you think 

Hello Herman

Not too much i can do there, thats how they want to manage it, the department that manage those vlans rules are another one that does not manage the controller, they already have their firewall rules set with the vilans, and want it to stay like that.

Anyways i ll try your solution, which i hope it works as you said you never tried it before

Now i got a question let say the user authenticate with machine and it will always do because thats what it does when you log off and log in windows, and then authenticate the user

If it can authenticate the user it will change the vlan to the user vlan? if it does not authenticate the user it will just leave him on the machine vlan?

Thanks

Original Message:
Sent: Aug 03, 2023 02:47 AM
From: Herman Robers
Subject: new wired 802.1x user

VLAN switching is a bad idea in general, it would be better to change the user role and link your access control to the role instead of to the VLAN.

However, there is under the Advanced Settings an option for Single Sign On with the description 'network uses separate VLANs for machine & user authentication', which may handle your case:

Have not tested this, as I avoid VLAN switching whenever possible.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 02, 2023 03:34 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello 

I have been trying thise for new users  that their profile are not on a computer 

If the user belongs to ADgroup X then give VLAN 5

If the user belongs to ADgroup Z then give VLAN 10

Tips roles equals machines authenticated then give the vlan 2

Lets assume that the computer already have a computer certificate but the new user still does not have that user certificate

What is happening is the fallowing:

The new user connect and the profile load and everything but then it takes the computer out of the network.  Didnt know that would happen.  

What i see on the access tracker is that whenever a user logs in the computer he firts machine authenticate and then user authenticate..  But since the user does not have a user certificate it takes the computer out of the network.  To make it works correctly there should be a user and a certificate already on the machine. Note that i dont have in my enforment any AND fule for machine authentication, its just like i showed up.  The first policy applies.

The network will have a group policy that will push the users certificate through the AD to all the users 

And the process will be like this for new users in the company: 

Tech Support join the domain the computer, a domain group policy will push a machine certificate to that computer, all that in a non 802.1x port

Then they give the end user their computer so they can log in.  With the computer certificate it will let him connect the AD but im not sure if it will let him download all the profile and the certificates with the GPO before it puts the computer out of the network

Does anyone have an idea?  or there is a better way to do it?

Original Message:
Sent: Jul 19, 2023 04:52 AM
From: matchabear
Subject: new wired 802.1x user

Original Message:
Sent: 7/14/2023 7:46:00 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

The recommended settings are:

• Use TEAP (not possible due to Win 7)
• Use computer authentication only (rejected by the customer)
• Avoid VLAN switching (also rejected by the customer)

In that case there are not so much options left. You may be successful with mac authentication fallback (on wired) to still allow network access on a failed user authentication, but that would mean that the computer also needs to be configured to allow network access with failed authentication, and hope that Windows will request the user certificate under that circumstance. Or use a 'first login procedure' via guest/WLAN/dedicated wired port with nonauthenticated access to the domaincontrollers/PKI to retrieve the certificate, but that comes with the cost of reduced end-user experience.

Looks like we are a bit out of options.

Hello Herman

Okay that doesnt seems to work 

If in my supplicant i got user or computer and i have your option  it doesnt work

If in my supplicant i got computer authentication only it works, but it will only be on the vlan that the port has  or the vlan that i assign with the machine authentication.

I guess i did a lot of test already and i just would like to know your opinion in this knowing this:

1-the client has windows 7 so i cannot use EAP TEAP

2-They want to use vlans segmentation for their own reasons. (ill explain them that its a bad idea already)

The only problem i have is the fallowing:

When new user comes into the company and he needs to authenticate with a port that works in 802.1x.  If he could do that but in a non 802.1x port then i would have no issue, the problem im having is that because the user does not have the user certificate because he has not yet logged in that pc he cannot authenticate

I dont find a solution to this

I think the only thing i could do its telling them that they have to log those new users and also OLD laptops that are changing from owners to log in, in a port that does not authenticate with 802.1x, or to configure machine authenticate only on that port and in that port they will have to manually to configure that vlan they need

Do you see any other option? how does big companys over there do it ? at least here some companies just onboard on a non 802.1x port and thats it

But i would like to know which would be the best practice to future reference  

I was reading more about the option, i could be wrong Herman but This option tells the device to complete a DHCP renewal after a successful user authentication.

The problem here is that i cannot authenticate the user because i will not have user certificate yet, i need i guess to load the user profile in order to download their certificate.   IF it true what i said up then the computer wont be able to complete the user authentication so it wont be able to download the certificate.

Let me know what you think 

Hello Herman

Not too much i can do there, thats how they want to manage it, the department that manage those vlans rules are another one that does not manage the controller, they already have their firewall rules set with the vilans, and want it to stay like that.

Anyways i ll try your solution, which i hope it works as you said you never tried it before

Now i got a question let say the user authenticate with machine and it will always do because thats what it does when you log off and log in windows, and then authenticate the user

If it can authenticate the user it will change the vlan to the user vlan? if it does not authenticate the user it will just leave him on the machine vlan?

Thanks

Original Message:
Sent: Aug 03, 2023 02:47 AM
From: Herman Robers
Subject: new wired 802.1x user

VLAN switching is a bad idea in general, it would be better to change the user role and link your access control to the role instead of to the VLAN.

However, there is under the Advanced Settings an option for Single Sign On with the description 'network uses separate VLANs for machine & user authentication', which may handle your case:

Have not tested this, as I avoid VLAN switching whenever possible.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 02, 2023 03:34 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello 

I have been trying thise for new users  that their profile are not on a computer 

If the user belongs to ADgroup X then give VLAN 5

If the user belongs to ADgroup Z then give VLAN 10

Tips roles equals machines authenticated then give the vlan 2

Lets assume that the computer already have a computer certificate but the new user still does not have that user certificate

What is happening is the fallowing:

The new user connect and the profile load and everything but then it takes the computer out of the network.  Didnt know that would happen.  

What i see on the access tracker is that whenever a user logs in the computer he firts machine authenticate and then user authenticate..  But since the user does not have a user certificate it takes the computer out of the network.  To make it works correctly there should be a user and a certificate already on the machine. Note that i dont have in my enforment any AND fule for machine authentication, its just like i showed up.  The first policy applies.

The network will have a group policy that will push the users certificate through the AD to all the users 

And the process will be like this for new users in the company: 

Tech Support join the domain the computer, a domain group policy will push a machine certificate to that computer, all that in a non 802.1x port

Then they give the end user their computer so they can log in.  With the computer certificate it will let him connect the AD but im not sure if it will let him download all the profile and the certificates with the GPO before it puts the computer out of the network

Does anyone have an idea?  or there is a better way to do it?

Original Message:
Sent: Jul 19, 2023 04:52 AM
From: matchabear
Subject: new wired 802.1x user

Original Message:
Sent: 7/14/2023 7:46:00 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

Besides the problem i have changing vlans is not recommened for which reasons? i can think of these

Some supplicants will not manage well this well(it doesnt work like the WIFI that  can just get one vlan with the user authentication, it will always get a vlan first on the wired?)

client has GPO for the computer it might break it while downloading beacuse its changing to to the user vlan

If the computer donwload  a scripts might break too while changing vlans

The recommended settings are:

• Use TEAP (not possible due to Win 7)
• Use computer authentication only (rejected by the customer)
• Avoid VLAN switching (also rejected by the customer)

In that case there are not so much options left. You may be successful with mac authentication fallback (on wired) to still allow network access on a failed user authentication, but that would mean that the computer also needs to be configured to allow network access with failed authentication, and hope that Windows will request the user certificate under that circumstance. Or use a 'first login procedure' via guest/WLAN/dedicated wired port with nonauthenticated access to the domaincontrollers/PKI to retrieve the certificate, but that comes with the cost of reduced end-user experience.

Looks like we are a bit out of options.

Hello Herman

Okay that doesnt seems to work 

If in my supplicant i got user or computer and i have your option  it doesnt work

If in my supplicant i got computer authentication only it works, but it will only be on the vlan that the port has  or the vlan that i assign with the machine authentication.

I guess i did a lot of test already and i just would like to know your opinion in this knowing this:

1-the client has windows 7 so i cannot use EAP TEAP

2-They want to use vlans segmentation for their own reasons. (ill explain them that its a bad idea already)

The only problem i have is the fallowing:

When new user comes into the company and he needs to authenticate with a port that works in 802.1x.  If he could do that but in a non 802.1x port then i would have no issue, the problem im having is that because the user does not have the user certificate because he has not yet logged in that pc he cannot authenticate

I dont find a solution to this

I think the only thing i could do its telling them that they have to log those new users and also OLD laptops that are changing from owners to log in, in a port that does not authenticate with 802.1x, or to configure machine authenticate only on that port and in that port they will have to manually to configure that vlan they need

Do you see any other option? how does big companys over there do it ? at least here some companies just onboard on a non 802.1x port and thats it

But i would like to know which would be the best practice to future reference  

I was reading more about the option, i could be wrong Herman but This option tells the device to complete a DHCP renewal after a successful user authentication.

The problem here is that i cannot authenticate the user because i will not have user certificate yet, i need i guess to load the user profile in order to download their certificate.   IF it true what i said up then the computer wont be able to complete the user authentication so it wont be able to download the certificate.

Let me know what you think 

Hello Herman

Not too much i can do there, thats how they want to manage it, the department that manage those vlans rules are another one that does not manage the controller, they already have their firewall rules set with the vilans, and want it to stay like that.

Anyways i ll try your solution, which i hope it works as you said you never tried it before

Now i got a question let say the user authenticate with machine and it will always do because thats what it does when you log off and log in windows, and then authenticate the user

If it can authenticate the user it will change the vlan to the user vlan? if it does not authenticate the user it will just leave him on the machine vlan?

Thanks

Original Message:
Sent: Aug 03, 2023 02:47 AM
From: Herman Robers
Subject: new wired 802.1x user

VLAN switching is a bad idea in general, it would be better to change the user role and link your access control to the role instead of to the VLAN.

However, there is under the Advanced Settings an option for Single Sign On with the description 'network uses separate VLANs for machine & user authentication', which may handle your case:

Have not tested this, as I avoid VLAN switching whenever possible.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 02, 2023 03:34 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello 

I have been trying thise for new users  that their profile are not on a computer 

If the user belongs to ADgroup X then give VLAN 5

If the user belongs to ADgroup Z then give VLAN 10

Tips roles equals machines authenticated then give the vlan 2

Lets assume that the computer already have a computer certificate but the new user still does not have that user certificate

What is happening is the fallowing:

The new user connect and the profile load and everything but then it takes the computer out of the network.  Didnt know that would happen.  

What i see on the access tracker is that whenever a user logs in the computer he firts machine authenticate and then user authenticate..  But since the user does not have a user certificate it takes the computer out of the network.  To make it works correctly there should be a user and a certificate already on the machine. Note that i dont have in my enforment any AND fule for machine authentication, its just like i showed up.  The first policy applies.

The network will have a group policy that will push the users certificate through the AD to all the users 

And the process will be like this for new users in the company: 

Tech Support join the domain the computer, a domain group policy will push a machine certificate to that computer, all that in a non 802.1x port

Then they give the end user their computer so they can log in.  With the computer certificate it will let him connect the AD but im not sure if it will let him download all the profile and the certificates with the GPO before it puts the computer out of the network

Does anyone have an idea?  or there is a better way to do it?

Original Message:
Sent: Jul 19, 2023 04:52 AM
From: matchabear
Subject: new wired 802.1x user

Original Message:
Sent: 7/14/2023 7:46:00 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

That's a pretty good summary. Changing VLANs requires the client to re-DHCP and breaks any existing connections like profile downloads/GPO possibly (likely) resulting into a corrupt profile.

Besides the problem i have changing vlans is not recommened for which reasons? i can think of these

Some supplicants will not manage well this well(it doesnt work like the WIFI that  can just get one vlan with the user authentication, it will always get a vlan first on the wired?)

client has GPO for the computer it might break it while downloading beacuse its changing to to the user vlan

If the computer donwload  a scripts might break too while changing vlans

The recommended settings are:

• Use TEAP (not possible due to Win 7)
• Use computer authentication only (rejected by the customer)
• Avoid VLAN switching (also rejected by the customer)

In that case there are not so much options left. You may be successful with mac authentication fallback (on wired) to still allow network access on a failed user authentication, but that would mean that the computer also needs to be configured to allow network access with failed authentication, and hope that Windows will request the user certificate under that circumstance. Or use a 'first login procedure' via guest/WLAN/dedicated wired port with nonauthenticated access to the domaincontrollers/PKI to retrieve the certificate, but that comes with the cost of reduced end-user experience.

Looks like we are a bit out of options.

Hello Herman

Okay that doesnt seems to work 

If in my supplicant i got user or computer and i have your option  it doesnt work

If in my supplicant i got computer authentication only it works, but it will only be on the vlan that the port has  or the vlan that i assign with the machine authentication.

I guess i did a lot of test already and i just would like to know your opinion in this knowing this:

1-the client has windows 7 so i cannot use EAP TEAP

2-They want to use vlans segmentation for their own reasons. (ill explain them that its a bad idea already)

The only problem i have is the fallowing:

When new user comes into the company and he needs to authenticate with a port that works in 802.1x.  If he could do that but in a non 802.1x port then i would have no issue, the problem im having is that because the user does not have the user certificate because he has not yet logged in that pc he cannot authenticate

I dont find a solution to this

I think the only thing i could do its telling them that they have to log those new users and also OLD laptops that are changing from owners to log in, in a port that does not authenticate with 802.1x, or to configure machine authenticate only on that port and in that port they will have to manually to configure that vlan they need

Do you see any other option? how does big companys over there do it ? at least here some companies just onboard on a non 802.1x port and thats it

But i would like to know which would be the best practice to future reference  

I was reading more about the option, i could be wrong Herman but This option tells the device to complete a DHCP renewal after a successful user authentication.

The problem here is that i cannot authenticate the user because i will not have user certificate yet, i need i guess to load the user profile in order to download their certificate.   IF it true what i said up then the computer wont be able to complete the user authentication so it wont be able to download the certificate.

Let me know what you think 

Hello Herman

Not too much i can do there, thats how they want to manage it, the department that manage those vlans rules are another one that does not manage the controller, they already have their firewall rules set with the vilans, and want it to stay like that.

Anyways i ll try your solution, which i hope it works as you said you never tried it before

Now i got a question let say the user authenticate with machine and it will always do because thats what it does when you log off and log in windows, and then authenticate the user

If it can authenticate the user it will change the vlan to the user vlan? if it does not authenticate the user it will just leave him on the machine vlan?

Thanks

Original Message:
Sent: Aug 03, 2023 02:47 AM
From: Herman Robers
Subject: new wired 802.1x user

VLAN switching is a bad idea in general, it would be better to change the user role and link your access control to the role instead of to the VLAN.

However, there is under the Advanced Settings an option for Single Sign On with the description 'network uses separate VLANs for machine & user authentication', which may handle your case:

Have not tested this, as I avoid VLAN switching whenever possible.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 02, 2023 03:34 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello 

I have been trying thise for new users  that their profile are not on a computer 

If the user belongs to ADgroup X then give VLAN 5

If the user belongs to ADgroup Z then give VLAN 10

Tips roles equals machines authenticated then give the vlan 2

Lets assume that the computer already have a computer certificate but the new user still does not have that user certificate

What is happening is the fallowing:

The new user connect and the profile load and everything but then it takes the computer out of the network.  Didnt know that would happen.  

What i see on the access tracker is that whenever a user logs in the computer he firts machine authenticate and then user authenticate..  But since the user does not have a user certificate it takes the computer out of the network.  To make it works correctly there should be a user and a certificate already on the machine. Note that i dont have in my enforment any AND fule for machine authentication, its just like i showed up.  The first policy applies.

The network will have a group policy that will push the users certificate through the AD to all the users 

And the process will be like this for new users in the company: 

Tech Support join the domain the computer, a domain group policy will push a machine certificate to that computer, all that in a non 802.1x port

Then they give the end user their computer so they can log in.  With the computer certificate it will let him connect the AD but im not sure if it will let him download all the profile and the certificates with the GPO before it puts the computer out of the network

Does anyone have an idea?  or there is a better way to do it?

Original Message:
Sent: Jul 19, 2023 04:52 AM
From: matchabear
Subject: new wired 802.1x user

Original Message:
Sent: 7/14/2023 7:46:00 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ? 

Herman i got a question 

If we do just user authentication with the dynamic vlan that the client wants, does this bring them any issues?

Knowing that they know they need to have the user certificate first in order to connect to the wired network.  They konw that they will need to connect the computer and then log in with the new user so it can get the certificate in a port that does not have 802.1x, at least one time.  

After it has his certificate guess there should not have any issue ? or there could be any issue?

That's a pretty good summary. Changing VLANs requires the client to re-DHCP and breaks any existing connections like profile downloads/GPO possibly (likely) resulting into a corrupt profile.

Besides the problem i have changing vlans is not recommened for which reasons? i can think of these

Some supplicants will not manage well this well(it doesnt work like the WIFI that  can just get one vlan with the user authentication, it will always get a vlan first on the wired?)

client has GPO for the computer it might break it while downloading beacuse its changing to to the user vlan

If the computer donwload  a scripts might break too while changing vlans

The recommended settings are:

• Use TEAP (not possible due to Win 7)
• Use computer authentication only (rejected by the customer)
• Avoid VLAN switching (also rejected by the customer)

In that case there are not so much options left. You may be successful with mac authentication fallback (on wired) to still allow network access on a failed user authentication, but that would mean that the computer also needs to be configured to allow network access with failed authentication, and hope that Windows will request the user certificate under that circumstance. Or use a 'first login procedure' via guest/WLAN/dedicated wired port with nonauthenticated access to the domaincontrollers/PKI to retrieve the certificate, but that comes with the cost of reduced end-user experience.

Looks like we are a bit out of options.

Hello Herman

Okay that doesnt seems to work 

If in my supplicant i got user or computer and i have your option  it doesnt work

If in my supplicant i got computer authentication only it works, but it will only be on the vlan that the port has  or the vlan that i assign with the machine authentication.

I guess i did a lot of test already and i just would like to know your opinion in this knowing this:

1-the client has windows 7 so i cannot use EAP TEAP

2-They want to use vlans segmentation for their own reasons. (ill explain them that its a bad idea already)

The only problem i have is the fallowing:

When new user comes into the company and he needs to authenticate with a port that works in 802.1x.  If he could do that but in a non 802.1x port then i would have no issue, the problem im having is that because the user does not have the user certificate because he has not yet logged in that pc he cannot authenticate

I dont find a solution to this

I think the only thing i could do its telling them that they have to log those new users and also OLD laptops that are changing from owners to log in, in a port that does not authenticate with 802.1x, or to configure machine authenticate only on that port and in that port they will have to manually to configure that vlan they need

Do you see any other option? how does big companys over there do it ? at least here some companies just onboard on a non 802.1x port and thats it

But i would like to know which would be the best practice to future reference  

I was reading more about the option, i could be wrong Herman but This option tells the device to complete a DHCP renewal after a successful user authentication.

The problem here is that i cannot authenticate the user because i will not have user certificate yet, i need i guess to load the user profile in order to download their certificate.   IF it true what i said up then the computer wont be able to complete the user authentication so it wont be able to download the certificate.

Let me know what you think 

Hello Herman

Not too much i can do there, thats how they want to manage it, the department that manage those vlans rules are another one that does not manage the controller, they already have their firewall rules set with the vilans, and want it to stay like that.

Anyways i ll try your solution, which i hope it works as you said you never tried it before

Now i got a question let say the user authenticate with machine and it will always do because thats what it does when you log off and log in windows, and then authenticate the user

If it can authenticate the user it will change the vlan to the user vlan? if it does not authenticate the user it will just leave him on the machine vlan?

Thanks

Original Message:
Sent: Aug 03, 2023 02:47 AM
From: Herman Robers
Subject: new wired 802.1x user

VLAN switching is a bad idea in general, it would be better to change the user role and link your access control to the role instead of to the VLAN.

However, there is under the Advanced Settings an option for Single Sign On with the description 'network uses separate VLANs for machine & user authentication', which may handle your case:

Have not tested this, as I avoid VLAN switching whenever possible.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 02, 2023 03:34 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello 

I have been trying thise for new users  that their profile are not on a computer 

If the user belongs to ADgroup X then give VLAN 5

If the user belongs to ADgroup Z then give VLAN 10

Tips roles equals machines authenticated then give the vlan 2

Lets assume that the computer already have a computer certificate but the new user still does not have that user certificate

What is happening is the fallowing:

The new user connect and the profile load and everything but then it takes the computer out of the network.  Didnt know that would happen.  

What i see on the access tracker is that whenever a user logs in the computer he firts machine authenticate and then user authenticate..  But since the user does not have a user certificate it takes the computer out of the network.  To make it works correctly there should be a user and a certificate already on the machine. Note that i dont have in my enforment any AND fule for machine authentication, its just like i showed up.  The first policy applies.

The network will have a group policy that will push the users certificate through the AD to all the users 

And the process will be like this for new users in the company: 

Tech Support join the domain the computer, a domain group policy will push a machine certificate to that computer, all that in a non 802.1x port

Then they give the end user their computer so they can log in.  With the computer certificate it will let him connect the AD but im not sure if it will let him download all the profile and the certificates with the GPO before it puts the computer out of the network

Does anyone have an idea?  or there is a better way to do it?

Original Message:
Sent: Jul 19, 2023 04:52 AM
From: matchabear
Subject: new wired 802.1x user

Original Message:
Sent: 7/14/2023 7:46:00 PM
From: cdelarosa
Subject: new wired 802.1x user

Hello  i got a question 

We have a client that does this:

The support team join the machine on the AD domain  and set the machine.  

They create a user and a random password for the user and then they turn off the machine of their account.

They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

I don tknow how to go around this.

Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

Any ideas of how you all guys do this ?