Does 802.1x protocol missmache against GPO deployment?

Unanswered Question
Jul 2nd, 2007
User Badges:


I am testing DOT1X Authentication Protocol using Cisco Switches and for that i have gone through the procedures to Run Dot1x on windows . As you know when we use this feature, users logging to concerned Domain are asked to enter their user names and passwords. This username and passwords are set in Active Directory and are different to Windows logon. i mean after any user logs in to the domain, after the PC is up, a balloon pops up above his Local Area Connection asking username and password !!

After the user, enters this username and password, his PC is connected to the Domain and must ping others or share anything.(getting IP through DHCP)

The problem is that no Group Policy (which is set by me (Admin) ), is applied to users and computers in the domain.

Suppose the group policies which i set was :

+Computer Configuration

-Security Configurations

and .....etc.




In Cisco switch we are suppose to configure the concerned port that any user is connected to, some related configurations which have to be set by the administrator.

these configurations are like :

1) Switch(config)# dot1x syetem-auto-control (enables dot1x on cisco switch)

2 ) Switch(config)# interface fastethernet 0/1


Switch(config -if )# switchport mode access

Switch(config-if )# dot1x portcontrol auto

Switch(config-if )# dot1x pae authenticator

Switch(config-if )# dot1x reauthentication

and ................etc

enabling above mentioned commands, will lead to our goal and our goal is after the user passes these authentication steps,he can successfully log into the Domain and the group Policies which are already defined by the administrator,to be applied to the user.

my problem shows up after 3rd step:

1st -users logs into the PC.

at this point dot1x authentication starts and the ballon which i already told you about,appears above Local Area Connection asking username and password

2nd -user clicks on the balloon,a window appears on screen,,and we are asked to ented username and password

3rd -user enters username and password . and the switchport that the user is connected to,is assigned to concerned VLAN and afterwards the proper IP Address is given by the DHCP Server.

=> 4th- in this step that the user has got IP address ,no group policy which we have previously defined is applied.(suppose we have defined :The CD-ROM and USB Ports must be disabled ) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

my question is why???????????????

why no policy like :disabled CD-ROM or Disabled USB Port works here?

but when we disable dot1x, all these policies are applied to the users.

by disabling dot1x users can not access CD-ROM or can not use USB Port and this is what we want along with dot1x authentication.

I hope the problem is well explained to you.

Please , if you think anything can help me in this regard.let me know about it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jagdeep Gambhir Mon, 07/02/2007 - 15:23
User Badges:
  • Red, 2250 points or more

Hi ,

For GPO you need to enable machine authentication feature.

At boot time, the Windows OS uses machine authentication to authenticate using 802.1x, and to subsequently communicate with Windows domain controllers in order to pull down machine group policies. The identity used is the actual name of the computer as it exists in the Active Directory. The credentials used to authenticate the computer can be password-based or PKI certificate-based, depending on the EAP type used.


This is how its works with ACS (Cisco RAdius)

Q. What is machine authentication and how does Cisco Secure ACS support it today?

A. Machine authentication is used at boot time to authenticate and communicate with

Windows domain controllers to pull down machine group policies independently of an

interactive user authentication session. Cisco Secure ACS provides a mechanism to allow machine authentication on an 802.1X port before a user session is initiated. This is done by communicating the machine name with or without a valid certificate (depending on the

EAP method used) to the Cisco Secure ACS server for machine identity verification. Cisco Secure ACS supports machine authentication using either EAP-TLS or PEAP-EAP-MSCHAPv2 against Windows Active Directory. Cisco Secure ACS 3.3 includes MARs as an enhancement of Windows machine authentication. MAR gives administrators the flexibility of binding users to their machines to prevent unauthorized machines to connect to the network.

Cisco Secure ACS treats machine authentication as a separate authentication session

independent of a user-based authentication session that normally follows. User or machine

authentication is set in the Windows 2000/XP configuration page.

Hope that helps !



If that helps then please mark it resolved so that other can benefit.

rezaalikhani Sun, 07/15/2007 - 07:03
User Badges:

Dear Sir

Can you help me how I configure these featur? I mean how I configure machine authentication for wired network and using MD5-challenge with user-password on Active Directory?

Best Regards.


Premdeep Banga Sun, 07/15/2007 - 11:09
User Badges:
  • Gold, 750 points or more

I think you have similar post running in AAA section. I have provided you the configuration link in that section.

And take a look at this compatibility table,

With Windows AD/SAM database you cannot have EAP type as EAP-MD5, choose from any other.

And yes you do not need to make any change on switch to get this to work. You need to configure ACS and Supplicant for the other EAP that you decide to configure.



rezaalikhani Sun, 07/15/2007 - 20:38
User Badges:

You are right. One of my freinds has used my account to post another similar thread.

Thank again for your reply.


This Discussion