I was playing a while with 802.1X on a wired Catalyst network with good results, but always by typing the (user,pass) combo when challenged by the switch.
Now I want to move mainstream and deploy it on a production Windows domain with XP end user stations. I must implement single sign-on: the user/pass entered by the user when he/she logs in to the PC should also be re-used by the PC to answer to the switch when the EAPOL exchange is executed.
I have doubts about this environment. On a normal basis, a PC with XP that is turned on takes at least one minute to prompt for username and password, and it is my understanding that the switch will challenge with EAPOL as soon as the LAN adapter is powered on (let´s say within a few seconds after the PC was powered). Now the questions:
¿Do I have to adjust my LAN switch 802.1X timeouts with this fact in mind?
¿What happens if the end user takes a long time to (far beyond my switch timeouts) to enter the username/password information? Will the switch timeout and move to the alternate methods?
¿What is executed first? ¿Validation of user credentials within the AD environment or 802.1X validation? If AD validation comes first, I must apply an ACL in each switch port to allow for at least DHCP service and access to the AD server, so the laptop can take an IP address and reach the AD server for validation.
Any help to my many questions will be greatly appreciated.
Best regards, Rogelio
After machine authentication complete, the network connection is opened. You may want ACL to limit the user to acces the AD; DHCP; DNS,etc. But you would need to give sufficient rights after the second dot1x completed because then the user need to access other resources in the network.
I will attach here the ACS4.2 User Database section of the user guide. Anyway, you can find similar section on most versions of ACS user guides.