Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
4
Helpful
5
Replies

802.1x Authentication on Wired and Wireless LAN

ayazalined
Level 1
Level 1

‎12-30-2008 01:47 AM - edited ‎03-10-2019 04:15 PM

I have successfully configured 802.1x authentication on wired and wireless Lan. We have Cisco Switches, ACS SE and Windows AD.

But i have one issue regarding the Single Sign on while authentication using the 802.1x with Windows Active directory the users that are login first time not able to logon but the users that have their profiles already existed in their PC then there is no issue and they successfully authenticated and login easily.

Is there any way of login successfully for the users first time using 802.1x authentication with Windows AD like a Single Sign On?

Labels:
0 Helpful
5 Replies 5

mathias.mahnke
Level 1
Level 1

‎01-01-2009 10:45 PM

We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.

At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.

Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.

Hope that someone else has any clue?

0 Helpful

jafrazie
Cisco Employee
Cisco Employee

‎01-05-2009 07:03 AM

If you are using machine-authentication, this should solve this. This should help:

http://technet.microsoft.com/en-us/library/cc787892.aspx

0 Helpful

mathias.mahnke
Level 1
Level 1
In response to jafrazie

‎01-05-2009 07:22 AM

Yes, right. But it means to prepare and take care for additional credentials and internal deployment processes. At the moment the user authentication is a very good solution to carry out wether this notebook (user) is allowed to connect or not.

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to mathias.mahnke

‎01-05-2009 07:28 AM

If you're running machine-auth, kerberos actually launches for a user account before/asynchronous 802.1X does (and remember the network connection has already been enabled by machine-auth). Hence, a new user can login to the machine just like they could before 802.1X was deployed.

Hope this helps,

mathias.mahnke
Level 1
Level 1
In response to jafrazie

‎01-06-2009 12:06 AM

Thanks for the information, very helpfull. We will consider adding maschine authentication.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents