Wired 802.1X. How is single sign-on implemented on AD environments?

Answered Question
Sep 15th, 2010
User Badges:

Hello team:

I was playing a while with 802.1X on a wired Catalyst network with good results, but always by typing the (user,pass) combo when challenged by the switch.

Now I want to move mainstream and deploy it on a production Windows domain with XP end user stations. I must implement single sign-on: the user/pass entered by the user when he/she logs in to the PC should also be re-used by the PC to answer to the switch when the EAPOL exchange is executed.


I have doubts about this environment. On a normal basis, a PC with XP that is turned on takes at least one minute to prompt for username and password, and it is my understanding that the switch will challenge with EAPOL as soon as the LAN adapter is powered on (let´s say within a few seconds after the PC was powered). Now the questions:

¿Do I have to adjust my LAN switch 802.1X timeouts with this fact in mind?

¿What happens if the end user takes a long time to (far beyond my switch timeouts) to enter the username/password information? Will the switch timeout and move to the alternate methods?

¿What is executed first? ¿Validation of user credentials within the AD environment or 802.1X validation? If AD validation comes first, I must apply an ACL in each switch port to allow for at least DHCP service and access to the AD server, so the laptop can take an IP address and reach the AD server for validation.


Any help to my many questions will be greatly appreciated.

Best regards, Rogelio

Correct Answer by Michael Wong about 6 years 9 months ago

After machine authentication complete, the network connection is opened. You may want ACL to limit the user to acces the AD; DHCP; DNS,etc. But you would need to give sufficient rights after the second dot1x completed because then the user need to access other resources in the network.


I will attach here the ACS4.2 User Database section of the user guide. Anyway, you can find similar section on most versions of ACS user guides.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Michael Wong Sat, 09/18/2010 - 04:06
User Badges:

On  the User Guide for Cisco Secure Access ControlServer 4.2 > External Databases > User databases > Mac authentication, it explain how the mac authentication which is related to the single sign-on.


http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp3540664.2


The Windows workstation must first join to the domain under normal connection and get the credential. The credential will be stored in the workstaion for the mac-authentication use.


The Windows wokstation then enable the dot1x, and enable the "logon network with computer information if it is available".

Once the Windows workstation is bootup, it will connect to the network with mac-authentication. Then Windows Logon then appear and user can logon with doamin username/password.


Once logon domin, the workstaion will initiate dot1x authentication with the Domain logon username/password again. If theis dot1x authen not successful, the netwrok connection will be release after timeout.


That's what I know about it.

Michael Wong Sat, 09/18/2010 - 04:36
User Badges:

Sorry for typing mistakes. It should be machine authentication, not mac-authentication.

rogelioalvez Sun, 09/19/2010 - 11:19
User Badges:

Hi Michael, thank you very much for your answer.


So in principle I have to configure the port ACL with enough entries to let a PC reach the AD server to join the domain, and then the PC will start the 802.1X authentication process. ¿Am I right?


By the way, I wanted to get the document you suggested me to read but have no enough privilege to get through that URL. ¿Could you send me a copy to [email protected]? I hope it should not be a problem, otherwise do not worry and I will find another way to learn how to setup the environment.


Thank you very much again.

Rogelio

Correct Answer
Michael Wong Sun, 09/19/2010 - 20:07
User Badges:

After machine authentication complete, the network connection is opened. You may want ACL to limit the user to acces the AD; DHCP; DNS,etc. But you would need to give sufficient rights after the second dot1x completed because then the user need to access other resources in the network.


I will attach here the ACS4.2 User Database section of the user guide. Anyway, you can find similar section on most versions of ACS user guides.

Attachment: 

Actions

This Discussion