I'm looking for a solution for starting with 802.1X for wired and wireless network in a live environment. During the migration I have to turn on port based authentication. But at that moment, the machine must have a valid user / computer certificate. Else there will be no connection to the network. Do I have to deal with the fact that all computers do have the certificates before turning on port based authentication ? Is there another method ?
Using PEAP and self generating certificate option under ACS server side and no client certificate is required and you can deploy Dot1x authentication and hope the attached document will help you implementing 802.1x
Kindly rate the useful posts
I know I need client certificates. But all the certificates need to be installed before 802.1X can be implemented on the switch. If there is no certificate, the client cannot get access to the network and autoenrollement of certificates will not work..
In that case I suggest you to use Microsoft CA Server,Let the user download the user certificate during the process of 802.1x authentication.
Assuming EAPoL will help retrieving user or computer certificate from CA server during the authentication process.
During 802.1x authentication there is no connection to the rest of the network so certificates cannot be obtained..
If you run machine-auth, this enabled the network connection. If you then run user-auth, you can automatically download a cert for the user .. since the network access has been obtained from machine-credentials. So in other words, as long as you at least have a cert on the box for the machine, the user doesn't necessarilly need a cert pre-loaded and auto-enrollment of certs can still work.
At first you use machine authentication with computer certificate. This cert can be obtained after a initial reboot. Ok, then there is a network connection based on computer authentication. At that moment, user logs in. At that moment there will be a re-authentication with user certificate (that is not available on the pc). I think this is going wrong..
That's all correct. ;-). Essentially what happens it the following:
1) network access granted via machine-auth.
2) EAPOL-Start from PC to switch.
3) EAPOL-Identity-Request from switch to PC.
At this point, the PC sits there since it has no cert to offer. But remember, network access has been granted from step1 above, and the network connection is still open until at least this "new" authentication attempt fails or times out. So you've got until at least it times out to allow auto-enrollment of a cert to work.
Would hope this is a corner case anyway, and that most of your users already have certs, but it's an option for you maybe ...