Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Switch-Siwthc block port when someone does rdp to the computer on that port

This thread has been viewed 17 times
  • 1.  Switch-Siwthc block port when someone does rdp to the computer on that port

    Posted Sep 22, 2023 07:31 PM

    We have users that needs to connect with rdp but they are getting disconnected
    Example:
    Users have desktops in their company
    Let say user X which is on his home connect to his desktop(this desktop authenticate with 802.1x) he connect to his desktop with a VPN. When they connect with RDP to that desktop get disconnected of the network and i see this error:
    [4:26 p. m.] Jose Vindas Alfaro

    ST1-CMDR: port 2/1 is Blocked by AAA

    Same issue happens if someone in the internal network tries to remote desktop to that desktop, we get that error

    Im wondering if this happen because of the credential guard and because they are using EAP PEAP(i iknow  they need to move to EAP TLS but its something we have to work with the client after we fix this)

    I notice that one computer is working fine but in that computer it has this enable

    In most of the computers it has it disable like you see in the screenshot and in thos computers it seems it doesnt work

    This only happens when they try to remote desktop

    I dont know if when it try to autenticate and noone is on the computer it prompts the user and pass but as noone is there to do that it kick the device from the network because noone is putting the user and pass

    You guys think its that?

    Do you think there is a logic in what is happening and with the credential guard?



  • 2.  RE: Switch-Siwthc block port when someone does rdp to the computer on that port

    Posted Sep 22, 2023 08:33 PM

    The customer should migrate to certificate based EAP methods instead. 

    https://learn.microsoft.com/en-us/troubleshoot/windows-client/remote/cannot-use-802dot1x-user-authentication-connect-rds




  • 3.  RE: Switch-Siwthc block port when someone does rdp to the computer on that port

    Posted Sep 22, 2023 09:28 PM

    Hello thnks for your reply

     Like i said on my previews post i already informed the client that we must move to EAP TLS, for now they are asking us to fix it because its urgent

    As for the solution microsoft is proposing, is this?:

    This is already configured, and they still have the issue

    If its somewhere else where is it?

    Thanks




  • 4.  RE: Switch-Siwthc block port when someone does rdp to the computer on that port

    EMPLOYEE
    Posted Sep 25, 2023 09:47 AM

    If they are using PEAP for 802.1X, the only option is to only enable Computer Authentication.  If they have User enabled then the RDP session WILL BREAK THE 802.1X connection.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: Switch-Siwthc block port when someone does rdp to the computer on that port

    Posted Sep 25, 2023 10:12 AM

    Hello Chulcher

    Let me check on this but i saw that someone that had 

    This enabled did not that happen the issue

    Just to make sure Carson, it will break the 802.1x connection even with that option on??  

    The only options are having the computer authenticaiton or go to EAP TLS




  • 6.  RE: Switch-Siwthc block port when someone does rdp to the computer on that port

    EMPLOYEE
    Posted Sep 25, 2023 12:28 PM

    If you go read the Microsoft document that was posted above, if User Auth is attempted then the network connection will fail.  Disabling SSO might allow for the connection to eventually come back, but you'll likely just break it again upon connection with RDP.

    EAP-TLS or EAP-TEAP is the answer.  But regardless of what gets chosen, get rid of any authentication that requires MSCHAPv2.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------