Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1416
Views
0
Helpful
2
Replies

802.1x, AD Authentication vs Local login

rtjensen4
Level 4
Level 4

‎03-11-2010 06:07 AM - edited ‎03-10-2019 05:00 PM

Hello,

I'm working to implement 802.1x on my LAN, using ACS 4.2 as my authentication server. I've gotten my ACS server to successfully authorize users / PCs to AD without issue. The problem I'm having is if a user uses a local-logon to the PC. Say a laptop that's not on the domain for some reason. I see the user authenticate as <hostname>\<local user>, like testmachine\Administrator. When dealing with 500+ PCs, I don't want to have to enter PC1\Admin, PC2\Admin etc etc into ACS as local usernames.I've tried just putting "Adminsitrator" along with the local admin PW into ACS, but it doesn't work, it wants the hostname\Administrator.

How have other people overcome this issue?

There are times when you don't want to or can't log into the domain but still need network access and unplugging / repatching a machine in someone's cube is not always feasible or convenient.

Is there a way I can change the username used to authenticate? If I login with a local account on a PC, windows asks for additional informaiton to authenticate to the network...

A window pops up with the username i'm logged in with, which is grayed out, password (editable), and a grayed out PC name. Can I change the username it tries to authenticate with easily? I.E. I'm logged into the PC as Administrator, but I want to authenticate as my user.

Thanks for any clarification you can provide.

Labels:
0 Helpful
2 Replies 2

jedubois
Cisco Employee
Cisco Employee

‎03-12-2010 07:51 AM

Hello,

     ACS will authenticate the user it receives so I don't know of a way to work around this on the

     ACS that will be scalable.  What supplicant are you using, you may be able to configure the supplicant

     to only send the username instead of sending hostname\username when the PC is not joined to

     the domain.  Most supplicants allow you to configure the format the username that is sent to

     the ACS for authentication.

--Jesse

0 Helpful

rtjensen4
Level 4
Level 4
In response to jedubois

‎03-12-2010 07:57 AM

Hi Jesse,

Thanks for the information. I think I figured out how to do this. I'm using the windows built-in supplicant. If you dig down a few menus there's a check box that says "Automatically use my Windows logon name, password and Domain if any" I just unchecked that box and I'm able to change the username / PW that's used to authenticate.

0 Helpful
Customers Also Viewed These Support Documents