802.1x on a wired network

oddjob62 · 23 Apr 2009 at 17:50

Having a play with 802.1x security at the moment and there's one thing I'm not sure about.

With both eap-tls or peap, you get no network connectivity until the user logs on and is authenticated. If that's the case, if you deploy software via a computer GPO, would these always fail, as they usually happen during startup (before the login screen comes up)? I also assume that any computer GPOs would only get applied during the usual GP refresh periods.

Is there any method (without resorting to very proprietary protocols) that just authenticates the computer account to allow connectivity, ie. turn on computer as long as computer credentials/certificate authenticate, network connectivity is allowed, so even if nobody logs on there is network connectivity.

Ev0 · 23 Apr 2009 at 18:23

No idea how it was setup but at my previous work we had it setup so that the machine had a cert and when the machine booted up it authenticated with the network, rather than it being user based. So it can be done, and don't think it was particularly hard to setup.

oddjob62 · 23 Apr 2009 at 18:30

Reading this at the mo... might be the key... http://support.microsoft.com/kb/929847

growse · 23 Apr 2009 at 19:11

I believe there's also ways to dump unauthenticated users onto a different network (VLAN). So you can provide certain connectivity (AV updates, AD connectivity for GPO) to users without authenticating them. Never implemented it myself, but have seen network designs which do exactly that.

oddjob62 · 23 Apr 2009 at 19:16

growse said:
I believe there's also ways to dump unauthenticated users onto a different network (VLAN). So you can provide certain connectivity (AV updates, AD connectivity for GPO) to users without authenticating them. Never implemented it myself, but have seen network designs which do exactly that.

Yeah that will be something we set up in the future, hopeully with NAP health checking added into the mix.

Andyt_uk · 23 Apr 2009 at 21:39

hmm, i've probably still got my configs for when we implemented this. We used the computer certs to put machines into diff vlans. Shall try and dig out the configs...

oddjob62 · 24 Apr 2009 at 11:16

Well that did the trick. Authentication is computer only now

Now to start playing with guest VLANs

Curiosityx · 27 Apr 2009 at 23:27

Can i ask which switch vendor your trying this with? I assume you using IAS as your radius server?

oddjob62 · 28 Apr 2009 at 07:55

Curiosityx said:
Can i ask which switch vendor your trying this with? I assume you using IAS as your radius server?

Switch is Extreme, WAPs are Cisco, Radius is NPS.