802.1x Authentication on Wired and Wireless LAN

Unanswered Question
Dec 30th, 2008

I have successfully configured 802.1x authentication on wired and wireless Lan. We have Cisco Switches, ACS SE and Windows AD.

But i have one issue regarding the Single Sign on while authentication using the 802.1x with Windows Active directory the users that are login first time not able to logon but the users that have their profiles already existed in their PC then there is no issue and they successfully authenticated and login easily.

Is there any way of login successfully for the users first time using 802.1x authentication with Windows AD like a Single Sign On?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
mathias.mahnke Thu, 01/01/2009 - 22:45

We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.

At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.

Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.

Hope that someone else has any clue?

mathias.mahnke Mon, 01/05/2009 - 07:22

Yes, right. But it means to prepare and take care for additional credentials and internal deployment processes. At the moment the user authentication is a very good solution to carry out wether this notebook (user) is allowed to connect or not.

jafrazie Mon, 01/05/2009 - 07:28

If you're running machine-auth, kerberos actually launches for a user account before/asynchronous 802.1X does (and remember the network connection has already been enabled by machine-auth). Hence, a new user can login to the machine just like they could before 802.1X was deployed.

Hope this helps,

mathias.mahnke Tue, 01/06/2009 - 00:06

Thanks for the information, very helpfull. We will consider adding maschine authentication.


This Discussion