Security

Am I missing some small step as to what transports the Radius credentials over the wire? I have a computer plugged into a 2500 mobility switch, with the port set to tunneled. I then have a AAA profile on the controller that directs toward the clearpass server. 

I see in the Access Tracker that a MAC that is my NIC card is being rejected by the Service I have setup to authenticate. This is happening I assume because it is coming through as a MAC and not a radius authentication. 

Is there someone that has some example of what the AAA profile should look like? I am assuming that's where it falls short. 

Do you have an 802.1X profile and server-group specified in your AAA profile? 

I have the profile set to Default. 

I just tried turning MAC Authentication to N/A and that seems to have stopped it from being rejected by the service I setup. However, it now "accept" it in another service by the MAC. 

Attached is a clip of the AAA profile.

Did you use the service wizard to create an 802.1X wired service? 

There is a Wizard? I just went under Configuration > Services > Add

I've attached a clip of the Service Created. 

I'm really just trying to proof of concept before I start including a lot of rules. 

We have 2 Domains that we authenticate to, I don't know if that could add to this issue.

Perhaps I don't fully understand the concept. Is it possible to use domain credentials that you log into a machine with and have those passed through to the Radius server?

I'm thinking about it and I suppose we make users type in their username and password to access our wireless.

I started thinking down this path because when I open a browser now I I get a "Web Authentication is disabled." message. 

So it sounds like your users are getting dumped into a role with a captive portal. 

On Windows you need to enabled the Wired 802.1X service. It is disabled by default. Once that is done, on Windows 7 it will automatically try machine auth at the login screen and change to user auth when it reaches the desktop. 

I don't know why I didn't think about needing to enable 802.1x authentication but  that surely hadn't crossed my mind. 

Once I enabled 802.1x on my machine, 802.1x authentication began to work. (who would have thought?)

For anyone else that may also run into this issue. Here is how to enable 802.1x Authentication for Windows.

If you are doing this on a large scale, you can enable the service and also configure authentication settings via Group Policy. 

That was my first thought when I saw that it was just a service that needs to be enabled. 

Thanks for the help!

And we come back here. 

So over the weekend I do my best thinking. 

Creating a GPO will work perfectly for domain joined computers. However, we don't join our student computers to the domain. Any pointers on getting their computers setup for 802.1x? I figure worst case we can drop instructions on our FAQ site, but if we can figure a way to do it behind the scenes that'd be even better. 

I'm sure OnBoarding is an option, but so far we had not planned on going the OnBoarding route for Student Computers. 

You would want to use a supplicant configuration utility like ClearPass QuickConnect. The students download it, run it and it configures the client for them.

Did not realize that was an option outside of OnBoarding. Thanks again for your help!