Security

Reply
New Contributor

AD access after machine auth (Cisco wired 802.1x)

I'm building 802.1x for wired authentication in a Cisco environment. For machines already joined to the domain, with an established user account (cert) on the machine, everything works great. The machine is placed in the correct VLAN for the user, based on role.

If I connect a domain-joined machine before logging in, machine authentication works, and the port is placed in the correct access VLAN. If a new user without a local profile and cert then tries to log in, it can't contact the domain to build the new user profile.

We have a lot of DC's, so I'd rather not add them all to the default port ACL in the switchports. Is there a document that covers allowing machine-authenticated computers to communicate with AD to build the profile, and then (I would assume) cause a re-auth in 802.1x?

 

 

Aruba Employee

Re: AD access after machine auth (Cisco wired 802.1x)

You need a process for provisioning these devices. SInce there is no cert, for Machine Auth, you can probably use EAP-PEAP MSCHAPv2 using Machine auth. If that is succesful (assuming PC is joined to the domain it will) you can grant access to these PCs based on the Auth Method used to a DC from where it will download it's cert and profile. Once done, it can then authenticate successfully using EAP-TLS. If that is not an option, you will have to allow access based on whitelisting MAC addresses, or have a separate open port at IT helpdesk for provisioning. 

New Contributor

Re: AD access after machine auth (Cisco wired 802.1x)

Thanks arpitb.

These machines are provisioned, and machine auth is working. It's the new user logging into the workstation that's failing. Can you elaborate on granting AD access based on auth method? This sounds like exactly what I'm after. 

Aruba Employee

Re: AD access after machine auth (Cisco wired 802.1x)

Are you talking about the switch user-scenario?

 

While doing so, the machine would still be on the network, i am sorry but i don't understand why would it not have access to the domain controller to login in that scenario?

 

Have you selected User or Computer Auth?

New Contributor

Re: AD access after machine auth (Cisco wired 802.1x)

it's configured per the "ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01" document.
If I connect my AD laptop to a port, it gets machine auth, and placed into an access VLAN. When I log in, it re-auths, and moves to an IT VLAN, because I'm in that AD group.
But when I log off it goes back to machine auth. A new user, with no local profile, can't log in as the machine can't reach the domain controllers.

The ethernet interface 802.1x config on the computer is set to user or computer authentication.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: