Can I have single sign-on to AD with 802.1x

p.tavan · ‎03-30-2004

I need to install 802.1x on a wired network (with Catalysts) with ACS 3.2 as server member and I want to know if a single sign-on to the AD is possible; and if yes, what are the menus to do it; and by which protocol: with EAP, or with PEAP ? Or, in the case where it would be not possible, in which order will I have to authenticate at the starting of the PC Client ?(I did not find documents explaining that sequence).

I thank you.

Patrice

verdann · ‎04-03-2004

The easiest method that comes to mind for authenticating 802.1x ports with an active directory environment (though in a microsoft rather than cisco-centric manner) is using PEAP with host-based authentication.

This essentially means that the host will authenticate itself to the port using the computer's domain account, which gives it network access to authenticate the user login. After the user has successfully authenticated the port will re-authenticate using the user's AD account. This allows for the single sign-on experience for the user. (all of this assumes the computers are a part of the domain btw, and my documentation uses the MS IAS server instead of ACS. I don't have any ACS servers at my disposal to test or write documentation)

To implement this kind of solution on top of a regular PEAP authentication setup, you will need to:

a) extend the AD schema to accomodate dial-in authentication to computer accounts.

b) explicitly give the appropriate computer accounts dial-in access if you're running in a mixed-mode AD environment. Otherwise dialin access is just determined (by default) by the remote access policy

c) Ensure "Authenticate as computer when computer information is available" is selected on the wireless network configuration "Authentication" tab when enabling 802.1x PEAP on the clients.

Example implementation documentation for a & b can can be found at http://www.missl.cs.umd.edu/Projects/wireless/8021x/2kserver.html

The same for c is http://www.missl.cs.umd.edu/Projects/wireless/8021x/xpclient.html

Hope that gets you started,

-mike

p.tavan · ‎04-08-2004

Hi Mike,

Many thanks for your detailed answer, but I still do not manage to make PEAP running OK with ACS 3.2.3 !

On windows XP SP1 machine, I have checked : host-based authentication, as you recommend.

When the user logs to the domain after a reboot, we have the link (dot1x state of the interface = authorized) and we can ping the PC, but we do not manage to log on to the domain. In the step 5 of your first document, you say : "This is because the client certificates are stored in the personal account profile" : does it mean that I need to install a client certificate on my PC ? I thought this was useless in PEAP ?

Thank you,

Patrice

verdann · ‎04-08-2004

Sorry for the confusion - that statement is for EAP-TLS, not PEAP. I'll edit it to make that clear. But its the same concept though, the user credentials can't be used to authorize the network interface for connection until they have logged in, so some kind of host based authentication must occur so the user has network resources to do so.

If you are able to ping the pc after it boots before the client logs in, it would appear that the host-based authentication was successful, I don't know why it would not log in to the domain. What is the error on the client, something to the effect of no domain server available? Someone else may have to take up this issue, because I don't have any copies of ACS myself to play with. I'm only familiar with using host based authentication using MS's RRAS policies using IAS.

- mike

JasonPia · ‎05-14-2004

Nice to see a clearly worded document covering MS IAS for authentication.

Very helpful!

Jason