Security

I'm faceing a strange issue , now we have confgured windwos 802.1x tand we check box use windows log on credinitial as 802.1x now when user logged in using the local admin credintial he kicked out of the network so what is the best scnario to solve this?

You would need to either create a second local administrator account that has a matching account in AD or the local user repository or create an "Administrator" user on the local user repository with the same credentials.


Thanks,
Tim

uncheck the box and have the user enter in credentials to auth to the network instead. use either mac auth or user auth

Hello tim,

 

I thought the Same but we have a vlan assignment based on switch location (NAD IP Address) and they have around 6 diffrent local admin passwords and also we have the same issue with RDP.

 

Hello Monardo,

 

they want to use this scnario and this check box as all users are authenticationg againest AD .

Then the only option would be to disable pass-through Windows authentication. Unfortunately this is a Windows limitation, not ClearPass.

Hello Tim from where exactly should I disable this ,and what it will affect ?

You would disable it in the Windows 802.1X supplicant. With that disabled, users will be prompted to enter network credentials after logging into the machine.

Sent from Mail for Windows 10

Hi Tim,

I'm taking the liberty to bring up again this topic. I'm currently facing similar issue than OP, however it is slightly different as customer is also performing Machine Authentication before User Authentication.

Actually the customer purpose is to logon with laptop's Local Admin account (not in AD either in CP Local Repository, resulting with User Auth failure) and keep IP from restricted vLAN assigned after Machine Authentication. In other words we expected the following:

 

[Machine Auth] OK + [User Auth] FAIL = Keep IP from Mach Auth Restricted vLAN

 

I understood well that unchecking "Auto windows credentials for 802.1x" option would make it work (I will test it asap).

But just to give clear explanation to customer and verify that I understood well, it is not possible to get IP from Machine Auth vLAN if User Auth fails afterwards ? In other words the following :

 

[Machine Authenticated] OK + [User Authenticated] FAIL = FAIL (APIPA IP assigned) ? 

 

Thank you.

 

Unfortunately no. When set to both computer + user, it switches to user auth
immediately after login.

Unfortunately, authenticating local administrators on computers is probably not possible because the username for local administrators go to the radius server as <hostname/username>, so it is not as simple as just adding the local username and password.  Like TC said, you would need to manually configure the Windows supplicant to NOT automatically use the username and password, and then manually enter a username and password that is valid.

The issue is customer do not want user to enter their credintial after login as some times windwos 7 notification disapear if he didnt click on it immadiatly so I suggested on them to use a domain administrator instead of local admin but they refuesed saying that we need to fix this issue soo i would need you to tell me how can i convince them technically that this is not possible?

There are no other options…It’s a Windows limitation.

Sent from Mail for Windows 10

^^what Tim said.

If that would work, it is possible that you have someone with the local password that can still get on your network, because even if you remove a computer from the domain, the local username and password has to be changed manually.. That is not acceptable from a security standpoint.