×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

AD join in 802.1X envoronment

Unanswered Question
Sep 8th, 2013
User Badges:

                   Hi, I'm trying to deply 802.1X on AD envorenment.


when the Client gets their PC at first time, they cannot join until they authenticate on 802.1X,


after they change their workgroup to our company's domain, they have to reboot.


when they reboot, they have to login to AD so they can download policy from GPO in Active directory.


at that point, port is not authenticated yet, so client can't download GPO policy.


what's the solution for this situation ? using low impact mode ? anything else ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Chris Illsley Mon, 09/09/2013 - 00:47
User Badges:
  • Bronze, 100 points or more

You could authenticate by machine, the machine would be authenticated client would still need a valid AD account to log in.


Thanks

Chris

jiyoung Kim Mon, 09/09/2013 - 01:07
User Badges:

hey, how can device authenticate with AD since the port is CLOSED and client is not authenticated yet.


the device cannot talk to AD before they get authenticated.

Chris Illsley Mon, 09/09/2013 - 01:10
User Badges:
  • Bronze, 100 points or more

Hi,


You've joined the PC to AD?  So you get the machine to authenticate, that way the port will be authenticated.


Thanks

Chris

jiyoung Kim Mon, 09/09/2013 - 01:20
User Badges:

It is a new PC havent joined yet.

Sent from Cisco Technical Support iPhone App

Chris Illsley Mon, 09/09/2013 - 01:27
User Badges:
  • Bronze, 100 points or more

If you're building PCs that aren't yet joined you will either need a port that isn't dot1x authenticated or a fall back guest area that has limited connectivity so you can complete the build process.


Thanks

Chris

jiyoung Kim Mon, 09/09/2013 - 01:57
User Badges:

hey, it is very dangerous idea that AD putting in Guest area.


Also, I'm asking for a solution for that.

jan.nielsen Mon, 09/09/2013 - 11:37
User Badges:
  • Gold, 750 points or more

Are you using PXE to put an image onto the machine ? If not, then who is doing the installation and how, and where are they when they install it (on-site/it department) ?


I have a few customers where we use their PXE environment to trigger a script that puts the mac address of the new pc in a specifc ad group, so it can get access while it's being provisioned, by using MAB authentication. When the PC is completely installed, the GPO's will configure the dot1x settings and enroll certs for machine auth/user authentication on the network.

Muhammad Munir Tue, 09/10/2013 - 21:28
User Badges:
  • Cisco Employee,

Hi


Ensure that the RADIUS probe is enabled in Cisco ISE.

Ensure that network access devices support an IOS sensor for collecting DHCP, CDP, and LLDP

   information.

Ensure that network access devices run the following CDP and LLDP commands to capture CDP

and LLDP information from endpoints:

cdp enable

lldp run

Ensure that session accounting is enabled separately, by using the standard AAA and RADIUS

commands.

For example, use the following commands:

aaa new-model

aaa accounting dot1x default start-stop group radius

radius-server host auth-port acct-port key

radius-server vsa send accounting

Oliver Laue Wed, 09/11/2013 - 22:27
User Badges:

Hi,

It depends on your setup. If you don't assign dynamic vlans to users or machines a preauth acl should do it.
While the client is not authenticated he is allowed to communicate with defined systems like an AD Server but all other communications are blocked.

Sent from Cisco Technical Support iPhone App

jiyoung Kim Wed, 09/11/2013 - 23:22
User Badges:

so it only can be done by using low-impact mode....right ?

Oliver Laue Wed, 09/11/2013 - 23:34
User Badges:

As I wrote before. It depends on your setup.
What kind of authentication are you using? What kind of radius/Tacacs did you use or maybe an ISE?

With an ISE it could be possible to assign the machine an profile if its not authenticated which allows this specific not joined systems to communicate with the required servers. After the machine reboots it should be profiled correctly as an domain member.

With a Microsoft NPS/NAP you could normally do the same but there are a couple of problems with this kind of setup.

Sent from Cisco Technical Support iPad App

jiyoung Kim Wed, 09/11/2013 - 23:40
User Badges:

hey, we cannot use profile.


first of all, you have to log in to windows PC on GINA, after that, you can get authenticated as not joined or joind to AD


before you log in on GINA, you can't do anything, that is the problem. when you log in on GINA, If you cannot communicate to AD, you cannot log in.


so specifically my problem is comming from here :


1. I have to log in to new PC with AD join

2. BUT the network is not authenticated when I log in on GINA

3. SO PC can't get GPO from AD controller.


any idea ?

Oliver Laue Wed, 09/11/2013 - 23:53
User Badges:

The ISE profile is based on policy's and is not affecting your GPO's

Did you use a Microsoft NAP/NPS as Authentication Server?
Did you want to Authenticate the Users or the Machines?

Sent from Cisco Technical Support iPad App

jiyoung Kim Thu, 09/12/2013 - 00:14
User Badges:

I'm Using ISE


and maybe I was not clear about this.


in order to profile, PC has to be on the network,


but, you can't on network before login to PC when is the PC is downloading GPO from AD

Oliver Laue Thu, 09/12/2013 - 00:25
User Badges:

From the ISE guide.



Understanding Authorization Policies

Authorization policies are a component of the Cisco ISE network authorization service that allows you to define authorization policies and configure authorization profiles for specific users and groups of users that access your network resources.

Network authorization policies associate rules with specific user and group identities to create the corresponding profiles. Whenever these rules match the configured attributes, the corresponding authorization profile that grants permission is returned by the policy, network access is authorized accordingly.

Authorization policies can contain conditional requirements that combine one or more identity groups using a compound condition that includes authorization checks that can return one or more authorization profiles. In addition, conditional requirements can exist apart from the use of a specific identity group (such as in using the default "Any"). Cisco ISE is an attribute-based policy system, with identity groups being one of the many important attributes.




You are not able to Authorize the System because you didn't have any attributes from the System except the MAC Address of the Network Card.

An Authorization Policy with a lower priority which authorizes the system to communicate with the Servers should work.

I'm not very firm with ISE but it should be possible to authorize the System based on the MAC to join Domain.

jiyoung Kim Thu, 09/12/2013 - 00:29
User Badges:

There is no possible to authoriza with MAC because NETWORK is NOT USED YET.


you know, when you first boot up, and you have to login GINA. before logging in, there is no way to use ethernet card...

Oliver Laue Thu, 09/12/2013 - 00:32
User Badges:

it should be possible with MAB to authorize the system by MAC

jiyoung Kim Thu, 09/12/2013 - 00:35
User Badges:

then could you tell me the flow of authentication with that ?

blenka Thu, 09/12/2013 - 15:30
User Badges:

Please see the link below the information is there for your query.


http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1096365


When systems resume from sleep; they do not attempt machine authentication; only user authentication.  This is by design on Windows.    In your dot1X profile, what is the machine cache timeout set at?   This can be found on the Advanced tab of the 802.1X Authentication Profile; "Machine Authentication Cache Timeout".    This dictates how long the MAC address is cached in the internal dtabase upon successful machine authentication.  If set too low, you'll likely see improper role assignment due to the machine not authenticating.  


Because these are new laptops, I would also make sure that they are doing both user and machine authentication as well (whether by GPO or manual settings).


As a test, on these same systems, if you restart them, do they get placed in the proper roles?    If they do, then your cache timeout is likely the issue.  If they do not, the system is likely not set to use both machine and user authentication.

Peter Koltl Sun, 09/15/2013 - 14:41
User Badges:
  • Silver, 250 points or more
  • Community Spotlight Award,

    Member's Choice, March 2016

I would recommend priming (preparing and joining) the workstations on a non-dot1x service port before sending them to the premises.


However, if you have a non-domain-member PC on a dot1x port, you can still enter the 802.1X credentials manually before joining if user auth is enough. You need to modify Windows 802.1X settings:


Find this very hidden setting and de-select Automatically use my Windows logon name and

password (and domain if any).

The client will pop up a bubble when 802.1X authentication is attempted where you can enter the YOURDOM\username and the password thus passing 802.1X.

Actions

This Discussion

Related Content