802.1x, AD Authentication vs Local login

Unanswered Question
Mar 11th, 2010

Hello,

I'm working to implement 802.1x on my LAN, using ACS 4.2 as my authentication server. I've gotten my ACS server to successfully authorize users / PCs to AD without issue. The problem I'm having is if a user uses a local-logon to the PC. Say a laptop that's not on the domain for some reason. I see the user authenticate as <hostname>\<local user>, like testmachine\Administrator. When dealing with 500+ PCs, I don't want to have to enter PC1\Admin, PC2\Admin etc etc into ACS as local usernames.I've tried just putting "Adminsitrator" along with the local admin PW into ACS, but it doesn't work, it wants the hostname\Administrator.

How have other people overcome this issue?

There are times when you don't want to or can't log into the domain but still need network access and unplugging / repatching a machine in someone's cube is not always feasible or convenient.

Is there a way I can change the username used to authenticate? If I login with a local account on a PC, windows asks for additional informaiton to authenticate to the network...

A window pops up with the username i'm logged in with, which is grayed out, password (editable), and a grayed out PC name. Can I change the username it tries to authenticate with easily? I.E. I'm logged into the PC as Administrator, but I want to authenticate as my user.

Thanks for any clarification you can provide.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jedubois Fri, 03/12/2010 - 07:51

Hello,

     ACS will authenticate the user it receives so I don't know of a way to work around this on the

     ACS that will be scalable.  What supplicant are you using, you may be able to configure the supplicant

     to only send the username instead of sending hostname\username when the PC is not joined to

     the domain.  Most supplicants allow you to configure the format the username that is sent to

     the ACS for authentication.

--Jesse

rtjensen4 Fri, 03/12/2010 - 07:57

Hi Jesse,

Thanks for the information. I think I figured out how to do this. I'm using the windows built-in supplicant. If you dig down a few menus there's a check box that says "Automatically use my Windows logon name, password and Domain if any" I just unchecked that box and I'm able to change the username / PW that's used to authenticate.

Actions

This Discussion