802.1x, Machine Authentication, Active Directory and eDirectory

rhodrijenkins · ‎08-19-2008

Does anyone think this is feasible as a solution...

Problem Definition.

1) Machines all use the netware Client and authenticate to eDirectory initially, then to AD.

2) I want to use ACS, not Free Radius.

3) I don't want to use a 3rd party supplicant.

Possible solution...

Does anyone think it might be possible to authenticate a machine using a certificate into AD before the user logs in using the netware client. My thinking being this... the user (or machine in this case) will have already been identified as trusted (through AD), will be connected to the network when the user submits their netware credentials. This would mean that netware could be left out of the 802.1x process completely and yet the user would still get a single sign on experience.

jafrazie · ‎08-25-2008

This should work.

rhodrijenkins · ‎09-02-2008

I'm about to test this. I'll keep you posted. Fingers crossed!

efrazee · ‎11-24-2008

Did you ever get this to work. Im trying to get something similar to work.

Thank you

rhodrijenkins · ‎12-04-2008

I did. Basically the scenrio I described in the original post worked.

The only caveat is that user auth still occurs through 802.1x once you submit the user credentials. There are regestry hacks which disable this if you solely want to use machine auth.

hope this helps