Hi, I'm trying to deply 802.1X on AD envorenment.
when the Client gets their PC at first time, they cannot join until they authenticate on 802.1X,
after they change their workgroup to our company's domain, they have to reboot.
when they reboot, they have to login to AD so they can download policy from GPO in Active directory.
at that point, port is not authenticated yet, so client can't download GPO policy.
what's the solution for this situation ? using low impact mode ? anything else ?
You could authenticate by machine, the machine would be authenticated client would still need a valid AD account to log in.
hey, how can device authenticate with AD since the port is CLOSED and client is not authenticated yet.
the device cannot talk to AD before they get authenticated.
If you're building PCs that aren't yet joined you will either need a port that isn't dot1x authenticated or a fall back guest area that has limited connectivity so you can complete the build process.
Please check the guide for Managing External Identity Sources, May help you something:
Are you using PXE to put an image onto the machine ? If not, then who is doing the installation and how, and where are they when they install it (on-site/it department) ?
I have a few customers where we use their PXE environment to trigger a script that puts the mac address of the new pc in a specifc ad group, so it can get access while it's being provisioned, by using MAB authentication. When the PC is completely installed, the GPO's will configure the dot1x settings and enroll certs for machine auth/user authentication on the network.
May the link below solve your query:-
•Ensure that the RADIUS probe is enabled in Cisco ISE.
•Ensure that network access devices support an IOS sensor for collecting DHCP, CDP, and LLDP
•Ensure that network access devices run the following CDP and LLDP commands to capture CDP
and LLDP information from endpoints:
•Ensure that session accounting is enabled separately, by using the standard AAA and RADIUS
For example, use the following commands:
aaa accounting dot1x default start-stop group radius
radius-server vsa send accounting
It depends on your setup. If you don't assign dynamic vlans to users or machines a preauth acl should do it.
While the client is not authenticated he is allowed to communicate with defined systems like an AD Server but all other communications are blocked.
Sent from Cisco Technical Support iPhone App
As I wrote before. It depends on your setup.
What kind of authentication are you using? What kind of radius/Tacacs did you use or maybe an ISE?
With an ISE it could be possible to assign the machine an profile if its not authenticated which allows this specific not joined systems to communicate with the required servers. After the machine reboots it should be profiled correctly as an domain member.
With a Microsoft NPS/NAP you could normally do the same but there are a couple of problems with this kind of setup.
Sent from Cisco Technical Support iPad App
hey, we cannot use profile.
first of all, you have to log in to windows PC on GINA, after that, you can get authenticated as not joined or joind to AD
before you log in on GINA, you can't do anything, that is the problem. when you log in on GINA, If you cannot communicate to AD, you cannot log in.
so specifically my problem is comming from here :
1. I have to log in to new PC with AD join
2. BUT the network is not authenticated when I log in on GINA
3. SO PC can't get GPO from AD controller.
any idea ?
The ISE profile is based on policy's and is not affecting your GPO's
Did you use a Microsoft NAP/NPS as Authentication Server?
Did you want to Authenticate the Users or the Machines?
Sent from Cisco Technical Support iPad App
I'm Using ISE
and maybe I was not clear about this.
in order to profile, PC has to be on the network,
but, you can't on network before login to PC when is the PC is downloading GPO from AD
From the ISE guide.
Authorization policies are a component of the Cisco ISE network authorization service that allows you to define authorization policies and configure authorization profiles for specific users and groups of users that access your network resources.
Network authorization policies associate rules with specific user and group identities to create the corresponding profiles. Whenever these rules match the configured attributes, the corresponding authorization profile that grants permission is returned by the policy, network access is authorized accordingly.
Authorization policies can contain conditional requirements that combine one or more identity groups using a compound condition that includes authorization checks that can return one or more authorization profiles. In addition, conditional requirements can exist apart from the use of a specific identity group (such as in using the default "Any"). Cisco ISE is an attribute-based policy system, with identity groups being one of the many important attributes.
You are not able to Authorize the System because you didn't have any attributes from the System except the MAC Address of the Network Card.
An Authorization Policy with a lower priority which authorizes the system to communicate with the Servers should work.
I'm not very firm with ISE but it should be possible to authorize the System based on the MAC to join Domain.
There is no possible to authoriza with MAC because NETWORK is NOT USED YET.
you know, when you first boot up, and you have to login GINA. before logging in, there is no way to use ethernet card...
Please see the link below the information is there for your query.
When systems resume from sleep; they do not attempt machine authentication; only user authentication. This is by design on Windows. In your dot1X profile, what is the machine cache timeout set at? This can be found on the Advanced tab of the 802.1X Authentication Profile; "Machine Authentication Cache Timeout". This dictates how long the MAC address is cached in the internal dtabase upon successful machine authentication. If set too low, you'll likely see improper role assignment due to the machine not authenticating.
Because these are new laptops, I would also make sure that they are doing both user and machine authentication as well (whether by GPO or manual settings).
As a test, on these same systems, if you restart them, do they get placed in the proper roles? If they do, then your cache timeout is likely the issue. If they do not, the system is likely not set to use both machine and user authentication.
I would recommend priming (preparing and joining) the workstations on a non-dot1x service port before sending them to the premises.
However, if you have a non-domain-member PC on a dot1x port, you can still enter the 802.1X credentials manually before joining if user auth is enough. You need to modify Windows 802.1X settings:
Find this very hidden setting and de-select Automatically use my Windows logon name and
password (and domain if any).
The client will pop up a bubble when 802.1X authentication is attempted where you can enter the YOURDOM\username and the password thus passing 802.1X.
Kindly check the following cisco link for reference as it is covering all the aspect of 802.1x