Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7881
Views
0
Helpful
4
Replies

Wired 802.1X. How is single sign-on implemented on AD environments?

Go to solution
rogelioalvez
Level 1
Level 1

‎09-15-2010 06:49 PM - edited ‎03-10-2019 05:24 PM

Hello team:

I was playing a while with 802.1X on a wired Catalyst network with good results, but always by typing the (user,pass) combo when challenged by the switch.

Now I want to move mainstream and deploy it on a production Windows domain with XP end user stations. I must implement single sign-on: the user/pass entered by the user when he/she logs in to the PC should also be re-used by the PC to answer to the switch when the EAPOL exchange is executed.

I have doubts about this environment. On a normal basis, a PC with XP that is turned on takes at least one minute to prompt for username and password, and it is my understanding that the switch will challenge with EAPOL as soon as the LAN adapter is powered on (let´s say within a few seconds after the PC was powered). Now the questions:

¿Do I have to adjust my LAN switch 802.1X timeouts with this fact in mind?

¿What happens if the end user takes a long time to (far beyond my switch timeouts) to enter the username/password information? Will the switch timeout and move to the alternate methods?

¿What is executed first? ¿Validation of user credentials within the AD environment or 802.1X validation? If AD validation comes first, I must apply an ACL in each switch port to allow for at least DHCP service and access to the AD server, so the laptop can take an IP address and reach the AD server for validation.

Any help to my many questions will be greatly appreciated.

Best regards, Rogelio

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michael Wong
Level 1
Level 1
In response to rogelioalvez

‎09-19-2010 08:07 PM

After machine authentication complete, the network connection is opened. You may want ACL to limit the user to acces the AD; DHCP; DNS,etc. But you would need to give sufficient rights after the second dot1x completed because then the user need to access other resources in the network.

I will attach here the ACS4.2 User Database section of the user guide. Anyway, you can find similar section on most versions of ACS user guides.

View solution in original post

Preview file
647 KB
0 Helpful
4 Replies 4

Go to solution
Michael Wong
Level 1
Level 1

‎09-18-2010 04:06 AM

On  the User Guide for Cisco Secure Access ControlServer 4.2 > External Databases > User databases > Mac authentication, it explain how the mac authentication which is related to the single sign-on.

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp3540664.2

The Windows workstation must first join to the domain under normal connection and get the credential. The credential will be stored in the workstaion for the mac-authentication use.

The Windows wokstation then enable the dot1x, and enable the "logon network with computer information if it is available".

Once the Windows workstation is bootup, it will connect to the network with mac-authentication. Then Windows Logon then appear and user can logon with doamin username/password.

Once logon domin, the workstaion will initiate dot1x authentication with the Domain logon username/password again. If theis dot1x authen not successful, the netwrok connection will be release after timeout.

That's what I know about it.

0 Helpful

Go to solution
Michael Wong
Level 1
Level 1
In response to Michael Wong

‎09-18-2010 04:36 AM

Sorry for typing mistakes. It should be machine authentication, not mac-authentication.

0 Helpful

Go to solution
rogelioalvez
Level 1
Level 1
In response to Michael Wong

‎09-19-2010 11:19 AM

Hi Michael, thank you very much for your answer.

So in principle I have to configure the port ACL with enough entries to let a PC reach the AD server to join the domain, and then the PC will start the 802.1X authentication process. ¿Am I right?

By the way, I wanted to get the document you suggested me to read but have no enough privilege to get through that URL. ¿Could you send me a copy to rogelioalvez@yahoo.com? I hope it should not be a problem, otherwise do not worry and I will find another way to learn how to setup the environment.

Thank you very much again.

Rogelio

0 Helpful

Go to solution
Michael Wong
Level 1
Level 1
In response to rogelioalvez

‎09-19-2010 08:07 PM

After machine authentication complete, the network connection is opened. You may want ACL to limit the user to acces the AD; DHCP; DNS,etc. But you would need to give sufficient rights after the second dot1x completed because then the user need to access other resources in the network.

I will attach here the ACS4.2 User Database section of the user guide. Anyway, you can find similar section on most versions of ACS user guides.

Preview file
647 KB
0 Helpful
Customers Also Viewed These Support Documents