802.1x with non cached password and profile

802.1x with non cached password and profile

Post by va66stan » Sat, 19 Feb 2005 22:16:45


We are in the process of testing 802.1x authentication on our network.
For a little background. We are using Cisco network switches, with a
Cisco ACS server with passthrough authentication the a Server 2003 AD
Domain. We have been able to successfully authenticate and access the
network as well as dynamically assigning VLANs based on group
membership. The problem is it only works from a workstation that has a
cached password and profile for the user that is logging in. If the
workstation does not have a cached password, authentication fails with
an error that a domain controller is not available. Has anyone else
run into this and is there a workaround. It appears that the
credentials are not being passed from the Microsoft client to the
802.1x client until the MS client successfully authenticates. Any help
would be appreciated. Thanks
 
 
 

802.1x with non cached password and profile

Post by Mark Gamac » Sun, 20 Feb 2005 02:02:39

If I am reading your question correctly, you are saying that machine
accounts aren't authenticating via 802.1X.

If this is the case, I'd check your RADIUS logs for failures. Are the
machine accounts in a group that you have granted access with your remote
access policy?

Cheers,

--
Mark Gamache
Certified Security Solutions
http://www.yqcomputer.com/

 
 
 

802.1x with non cached password and profile

Post by Mimmu » Fri, 04 Mar 2005 20:12:38

I had same problem.
You need to understand that Windows domain mantains also machine accounts in
Active Directory.
If you set up clients and ACS to 'Authenticate as computer' (I don't know if
it is really possible with Cisco ACS, I used IAS), they will authenticate
before entering user credentials, using internal machine account. They will
receive computer global policies, they will be able to manage password
expiring, etc. all normally.
If you want ALSO 802.1x user authentication, you can setup reauthentication
every 'x' time at switch level. Clients will be then reauthenticate using
user credentials.

Bye
Domenico Viggiani
 
 
 

802.1x with non cached password and profile

Post by Mark Gamac » Sat, 05 Mar 2005 01:56:12

If I am reading your question correctly, you are saying that machine
accounts aren't authenticating via 802.1X.

If this is the case, I'd check your RADIUS logs for failures. Are the
machine accounts in a group that you have granted access with your remote
access policy?

Cheers,


--
Mark Gamache
Certified Security Solutions
http://www.yqcomputer.com/
 
 
 

802.1x with non cached password and profile

Post by Mimmu » Sat, 05 Mar 2005 19:23:47

No. I enabled 'Authenticate as computer' on clients and I correctly see
successful authentications (host\clients) in Radius logs.
This is exactly what I want: machines are authenticate and able to receive
domain-wide policies and scripts and especially to authenticate new users,
previously never logged.
"For the best security, though, when a user logs on to the workstation, the
user should be forced to reauthenticate to the switch. Such a measure
protects against the situation I described earlier, in which an unauthorized
user gains access to an authorized computer and uses a local account such as
Administrator to successfully log on."

Previous excerpt is from article:
http://www.yqcomputer.com/

Bye
Domenico Viggiani