Security

Hi all,

I'm wondering how everyone handles onboarding their clients to wired 802.1X networks.  Specifically, we are seeing the growth of hoteling and open office style buildings that have static docking stations set up for users to walk in, find their spaces, and connect their USB-C ports for monitors and networking.

We are using ClearPass NAC in combination with 802.1X (PEAP) and captive portal (MAC Auth) authentication methods.  The issue we are seeing is that if the devices don't have 802.1X enabled (i.e., Windows), users will be redirected to our captive portal for authentication.  However, on the ClearPass side, it will see the docking stations' MAC addresses, causing user tracking problems.  Also, Windows tends to store the 802.1X settings at the NIC / adapter level, which is troublesome and requires our users to reconfigure their 802.1X settings every time they switch their workstation.

Any insights are welcome!

Jason

Hi Jason

802.1x works best with managed devices where you can configure all the settings in the 802.x profile with a GPO if the computers are members of an Active Directory, or Intune or another MDM tool. Also deliver certificates to the computers the same way.

A combination of non managed computers and 802.1x will in most cases not work good as you describe.

If I understand your question right the computers authenticating in your environment isn't managed as they doesn't belong to the same organization, but from several smaller companies sharing desks in an office hotel. Is this correct?

One option to solve the configuration of the clients and certificate distribution is to utilize ClearPass Onboard.

Also, do the clients need to be wired? In this type of office space wireless only often be a good alternative instead of the hassle with docking stations.

Hi all,

I'm wondering how everyone handles onboarding their clients to wired 802.1X networks.  Specifically, we are seeing the growth of hoteling and open office style buildings that have static docking stations set up for users to walk in, find their spaces, and connect their USB-C ports for monitors and networking.

We are using ClearPass NAC in combination with 802.1X (PEAP) and captive portal (MAC Auth) authentication methods.  The issue we are seeing is that if the devices don't have 802.1X enabled (i.e., Windows), users will be redirected to our captive portal for authentication.  However, on the ClearPass side, it will see the docking stations' MAC addresses, causing user tracking problems.  Also, Windows tends to store the 802.1X settings at the NIC / adapter level, which is troublesome and requires our users to reconfigure their 802.1X settings every time they switch their workstation.

Any insights are welcome!

Jason

Hi Jonas,

That's right-our environment (University) has a mix of managed and BYOD (i.e., students, staff, and guests) devices. Even on the managed devices side, some are not managed centrally but by their departmental ADs.

It makes sense to move them to Wi-Fi only, but there are underlying security requirements preventing this from happening until we move over to role-based access.

Jason

Hi Jason

802.1x works best with managed devices where you can configure all the settings in the 802.x profile with a GPO if the computers are members of an Active Directory, or Intune or another MDM tool. Also deliver certificates to the computers the same way.

A combination of non managed computers and 802.1x will in most cases not work good as you describe.

If I understand your question right the computers authenticating in your environment isn't managed as they doesn't belong to the same organization, but from several smaller companies sharing desks in an office hotel. Is this correct?

One option to solve the configuration of the clients and certificate distribution is to utilize ClearPass Onboard.

Also, do the clients need to be wired? In this type of office space wireless only often be a good alternative instead of the hassle with docking stations.

Hi all,

I'm wondering how everyone handles onboarding their clients to wired 802.1X networks.  Specifically, we are seeing the growth of hoteling and open office style buildings that have static docking stations set up for users to walk in, find their spaces, and connect their USB-C ports for monitors and networking.

We are using ClearPass NAC in combination with 802.1X (PEAP) and captive portal (MAC Auth) authentication methods.  The issue we are seeing is that if the devices don't have 802.1X enabled (i.e., Windows), users will be redirected to our captive portal for authentication.  However, on the ClearPass side, it will see the docking stations' MAC addresses, causing user tracking problems.  Also, Windows tends to store the 802.1X settings at the NIC / adapter level, which is troublesome and requires our users to reconfigure their 802.1X settings every time they switch their workstation.

Any insights are welcome!

Jason