Security

 View Only
last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

new wired 802.1x user

This thread has been viewed 73 times
  • 1.  new wired 802.1x user

    Posted Jul 14, 2023 07:46 PM

    Hello  i got a question 

    We have a client that does this:

    The support team join the machine on the AD domain  and set the machine.  

    They create a user and a random password for the user and then they turn off the machine of their account.

    They give the new user the machine so they can log in with their new user -and they can change their random password with the new password

    Now i face a problem here,  and its that the support team are using a free 802.1x port so they dont have any issue with putting the machine in the AD and all that

    But when the new user try to log in with their new user that does not have their profile in that machine and that has never connected to the network they get the error that they cannot connect to the network, it says that the domain is not avaliable, and i should be sure that its connected to the network. 

    I see in the clearpass that it try to connect doing machine authentication instead of using the user and password 

    And now that i think.  I would have a big problem when we change to eap TLS because there is no way they can get the user certificate if the user has not connected yet to their proflle and download the group policy that give it the user certificate

    I don tknow how to go around this.

    Does the user has to alwasy authenticate  the first time without a port wirhtout the 802.1x  authentication? 

    Any ideas of how you all guys do this ? 



  • 2.  RE: new wired 802.1x user

    Posted Jul 17, 2023 07:23 AM

    With EAP-TLS or EAP-PEAP, the most used method is to switch to computer-only authentication.

    If you need user authentication, then TEAP may be a good method to use. It combines computer and user authentication in the same 'authentication transaction' and would allow scenarios where the user or computer authentication can even fail, and the computer can still be connected and placed in the correct VLAN/role to reflect that authentication status. Here is a video that explains TEAP based on EAP-TLS.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: new wired 802.1x user

    Posted Jul 18, 2023 02:33 PM

    Hello 

    Thanks for your answer guys

    Ahollifield that could be a solution yes but i need that the machine authenticates but not only that, they need to be send an specific vlan

    Herman, thanks for your answer, i was about to do what you said, but the client has windows 7, as i could see on your video we need windows 10 for TEAP to work 

    So it seems that the only option i have is the machine authentication

    right now i have on the enforment something simple for testing

    If the user belongs to ADgroup X then give VLAN 5

    If the user belongs to ADgroup Z then give VLAN 10

    Tips roles equals machines authenticated then give the vlan 2

    The first that applys is used 

    It SEEMS to work.  It authenticated with machine then it authenticated with the user 

    On the windows 10 i have user or machine option selected.

    Im not sure if i should be using 

    If the user belongs to ADgroup X AND machine authenticate then give VLAN 5

    If the user belongs to ADgroup Z AND machine authenticate then give VLAN 10

    Not  sure if that will work (ill try that today)

    Herman if you think any of those will give trouble please let me know , and what could be the best way to do it

    I cannot only machine authenticate because as i said the user needs to go to an specific vlan after authenticating




  • 4.  RE: new wired 802.1x user

    Posted Jul 18, 2023 07:11 PM

    Windows 7?  I think the client has MUCH bigger security concerns than VLAN based segmentation...




  • 5.  RE: new wired 802.1x user

    Posted Jul 19, 2023 03:49 AM

    That should work fine, it's just that the discussion started with the point that user authentication was not possible (chicken-egg problem) for users that had not authenticated before on the client, or don't have a user certificate.

    You may also try to use a 'authentication failed vlan' or 'authentication failed role', which does allow access to the AD infrastructure and other required services that you trust access to for unauthenticated clients. Through that access the client can change password, get the user certificate enrolled, or perform other prerequisites. It's not ideal, but that is why (at least before TEAP was introduced) many customers fallback to computer only authentication. But if that is not acceptable, this strategy may work.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: new wired 802.1x user

    Posted Jul 17, 2023 07:25 AM

    Switch to EAP-TLS with machine certificates (machine authentication).  Enroll the machine certificate onto the PC when the device the built at the port with 802.1X disabled.




  • 7.  RE: new wired 802.1x user

    Posted Jul 18, 2023 07:19 PM

    i know that the windows 7 ran out of support a while ago but it its what it is.

    Still we would like to do the vlan segmentation.  i was wondering if its possible with the rules i mention before? 

    At least it seems it works, but that is on a small lab. 




  • 8.  RE: new wired 802.1x user

    Posted Jul 19, 2023 04:53 AM
    Hi,

    Here we apply so-called quarantine vlan to get EAP TLS cert and do first time login (kerberos) .. so in that qvlan only allowed certain ports only which are required to do those two tasks (restriction done by firewall)





  • 9.  RE: new wired 802.1x user

    Posted Aug 02, 2023 03:35 PM

    Hello 

    I have been trying thise for new users  that their profile are not on a computer 

    If the user belongs to ADgroup X then give VLAN 5

    If the user belongs to ADgroup Z then give VLAN 10

    Tips roles equals machines authenticated then give the vlan 2

    Lets assume that the computer already have a computer certificate but the new user still does not have that user certificate

    What is happening is the fallowing:

    The new user connect and the profile load and everything but then it takes the computer out of the network.  Didnt know that would happen.  

    What i see on the access tracker is that whenever a user logs in the computer he firts machine authenticate and then user authenticate..  But since the user does not have a user certificate it takes the computer out of the network.  To make it works correctly there should be a user and a certificate already on the machine. Note that i dont have in my enforment any AND fule for machine authentication, its just like i showed up.  The first policy applies.

    The network will have a group policy that will push the users certificate through the AD to all the users 

    And the process will be like this for new users in the company: 

    Tech Support join the domain the computer, a domain group policy will push a machine certificate to that computer, all that in a non 802.1x port

    Then they give the end user their computer so they can log in.  With the computer certificate it will let him connect the AD but im not sure if it will let him download all the profile and the certificates with the GPO before it puts the computer out of the network

    Does anyone have an idea?  or there is a better way to do it?




  • 10.  RE: new wired 802.1x user

    Posted Aug 03, 2023 02:48 AM

    VLAN switching is a bad idea in general, it would be better to change the user role and link your access control to the role instead of to the VLAN.

    However, there is under the Advanced Settings an option for Single Sign On with the description 'network uses separate VLANs for machine & user authentication', which may handle your case:

    Have not tested this, as I avoid VLAN switching whenever possible.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 11.  RE: new wired 802.1x user

    Posted Aug 07, 2023 10:09 AM

    Hello Herman

    Not too much i can do there, thats how they want to manage it, the department that manage those vlans rules are another one that does not manage the controller, they already have their firewall rules set with the vilans, and want it to stay like that.

    Anyways i ll try your solution, which i hope it works as you said you never tried it before

    Now i got a question let say the user authenticate with machine and it will always do because thats what it does when you log off and log in windows, and then authenticate the user

    If it can authenticate the user it will change the vlan to the user vlan? if it does not authenticate the user it will just leave him on the machine vlan?

    Thanks




  • 12.  RE: new wired 802.1x user

    Posted Aug 07, 2023 10:25 AM

    I was reading more about the option, i could be wrong Herman but This option tells the device to complete a DHCP renewal after a successful user authentication.

    The problem here is that i cannot authenticate the user because i will not have user certificate yet, i need i guess to load the user profile in order to download their certificate.   IF it true what i said up then the computer wont be able to complete the user authentication so it wont be able to download the certificate.

    Let me know what you think 




  • 13.  RE: new wired 802.1x user

    Posted Aug 07, 2023 08:01 PM

    Hello Herman

    Okay that doesnt seems to work 

    If in my supplicant i got user or computer and i have your option  it doesnt work

    If in my supplicant i got computer authentication only it works, but it will only be on the vlan that the port has  or the vlan that i assign with the machine authentication.

    I guess i did a lot of test already and i just would like to know your opinion in this knowing this:

    1-the client has windows 7 so i cannot use EAP TEAP

    2-They want to use vlans segmentation for their own reasons. (ill explain them that its a bad idea already)

    The only problem i have is the fallowing:

    When new user comes into the company and he needs to authenticate with a port that works in 802.1x.  If he could do that but in a non 802.1x port then i would have no issue, the problem im having is that because the user does not have the user certificate because he has not yet logged in that pc he cannot authenticate

    I dont find a solution to this

    I think the only thing i could do its telling them that they have to log those new users and also OLD laptops that are changing from owners to log in, in a port that does not authenticate with 802.1x, or to configure machine authenticate only on that port and in that port they will have to manually to configure that vlan they need

    Do you see any other option? how does big companys over there do it ? at least here some companies just onboard on a non 802.1x port and thats it

    But i would like to know which would be the best practice to future reference  




  • 14.  RE: new wired 802.1x user

    Posted Aug 09, 2023 04:21 AM

    The recommended settings are:

    • Use TEAP (not possible due to Win 7)
    • Use computer authentication only (rejected by the customer)
    • Avoid VLAN switching (also rejected by the customer)

    In that case there are not so much options left. You may be successful with mac authentication fallback (on wired) to still allow network access on a failed user authentication, but that would mean that the computer also needs to be configured to allow network access with failed authentication, and hope that Windows will request the user certificate under that circumstance. Or use a 'first login procedure' via guest/WLAN/dedicated wired port with nonauthenticated access to the domaincontrollers/PKI to retrieve the certificate, but that comes with the cost of reduced end-user experience.

    Looks like we are a bit out of options.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 15.  RE: new wired 802.1x user

    Posted Aug 09, 2023 10:27 AM

    Besides the problem i have changing vlans is not recommened for which reasons? i can think of these

    Some supplicants will not manage well this well(it doesnt work like the WIFI that  can just get one vlan with the user authentication, it will always get a vlan first on the wired?)

    client has GPO for the computer it might break it while downloading beacuse its changing to to the user vlan

    If the computer donwload  a scripts might break too while changing vlans




  • 16.  RE: new wired 802.1x user

    Posted Aug 10, 2023 03:44 AM

    That's a pretty good summary. Changing VLANs requires the client to re-DHCP and breaks any existing connections like profile downloads/GPO possibly (likely) resulting into a corrupt profile.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 17.  RE: new wired 802.1x user

    Posted Nov 14, 2023 04:29 PM

    Herman i got a question 

    If we do just user authentication with the dynamic vlan that the client wants, does this bring them any issues?

    Knowing that they know they need to have the user certificate first in order to connect to the wired network.  They konw that they will need to connect the computer and then log in with the new user so it can get the certificate in a port that does not have 802.1x, at least one time.  

    After it has his certificate guess there should not have any issue ? or there could be any issue?




  • 18.  RE: new wired 802.1x user

    Posted Nov 24, 2023 11:55 AM

    This comes down in most case to a 'user experience' excercise. If clients have a client certificate or if they don't they have a method to get it, that should not give issues. It's just that if you can automate that process, for example with computer authentication, or auth-failed VLAN, or TEAP authentication (computer+user), it's much easier for the end-user if they are placed in a role/VLAN that (just) permits certificate enrollment, after which a reauthentication can bring the client in a more controlled state.

    Your Aruba Partner, or local Aruba SE may be able to advise in your specific case what is possible, or most optimal.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------