802.1x on a wired network

oddjob62 · 23 Apr 2009 at 17:50

Having a play with 802.1x security at the moment and there's one thing I'm not sure about.

With both eap-tls or peap, you get no network connectivity until the user logs on and is authenticated. If that's the case, if you deploy software via a computer GPO, would these always fail, as they usually happen during startup (before the login screen comes up)? I also assume that any computer GPOs would only get applied during the usual GP refresh periods.

Is there any method (without resorting to very proprietary protocols) that just authenticates the computer account to allow connectivity, ie. turn on computer as long as computer credentials/certificate authenticate, network connectivity is allowed, so even if nobody logs on there is network connectivity.

oddjob62 · 23 Apr 2009 at 18:30

Reading this at the mo... might be the key... http://support.microsoft.com/kb/929847

oddjob62 · 23 Apr 2009 at 19:16

growse said:
I believe there's also ways to dump unauthenticated users onto a different network (VLAN). So you can provide certain connectivity (AV updates, AD connectivity for GPO) to users without authenticating them. Never implemented it myself, but have seen network designs which do exactly that.

Yeah that will be something we set up in the future, hopeully with NAP health checking added into the mix.

oddjob62 · 24 Apr 2009 at 11:16

Well that did the trick. Authentication is computer only now

Now to start playing with guest VLANs

oddjob62 · 28 Apr 2009 at 07:55

Curiosityx said:
Can i ask which switch vendor your trying this with? I assume you using IAS as your radius server?

Switch is Extreme, WAPs are Cisco, Radius is NPS.