Security

doing wired dot1x with cisco switch and CP 6.4

 

got a setup where multiple types of devices exist in AD, with different DNs. based on these DNs different roles are defined in CP which are used to put the devices in different VLANs during machine auth.

 

but then user auth comes around and now the device type based on DN is unknown. so i can't put the user (and thus) device in the correct VLAN. if i don't send a VLAN the default on the port is used and that isn't what i want.

 

is there a nice way to associate a machine auth attempt with a user auth attempt?

You would have to map the computer accounts DN to a TIPS role and allow cached roles in your service. 

Thanks, 
Tim

i thought of that and tried it but it didn't seem to work. i know this automatically works for the default [machine authentication] role, which is available on the user auth.

 

but should it work for a own role between the machine and user auth also? it is a different session i assume?

Boneyard,

 

Why bother with user authentication, then?  Just configure the domain computers for machine authentication only.  The user still has to get into the computer to do anything, so just do machine authentication only and put the device on the correct VLAN.  At the ctrl-alt-delete screen the machine gets on the right VLAN during machine authentication.  The user then has to login to the computer and the computer is already on the correct vlan.  Since you are not enforcing firewall policies, it does not matter what user gets on the device as long as they have valid credentials---and Windows does that for you.

 

hey i thought of that one also cjoseph. just want to know if it is possible to somehow combine these two pieces of into to do something nice. this time it is workaroundable, next time it might not.