802.1x port authentication problem

T

TonyB

I am looking the possibility of securing computer connections to our network
here using 802.1x authentication with RADIUS.

Our wired network switches support this, and the backend auth will be Win2k3
with IAS (RADIUS). I have already set this type of connection up with
wireless, but I want to extend this to wired.

The problem I'm having, is that when using certs (from our local CA)
assigned to the user account (and mapped in A/D), the 802.1x auth only takes
place *after* the user has logged on, and the switch port is not unblocked
until this time. This does work, but means that the group policies do not
apply (because the switch port is still blocked at this time) and the user
always has to log on with cached credentials. Also, this type of setup
prevents new users logging onto a machine (who don't have a local profile)
which causes other problems.

Ideally I would like to authenticate the computer using 802.1x (and not the
user). This should ensure that the authentication phase takes place earlier,
the policies apply, and the user can logon as normal.

Is this possible using Windows (2000/XP). I can't seem to map a computer
certificate to a computer object in A/D. Does anyone have any
recommendations?

Thanks
 
S

Steve Riley [MSFT]

Have you read through this configuration guide?

http://www.microsoft.com/downloads/...71-6b20-4cef-9939-47c397ffd3dd&displaylang=en

_________________________________
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley


I am looking the possibility of securing computer connections to our network
here using 802.1x authentication with RADIUS.

Our wired network switches support this, and the backend auth will be Win2k3
with IAS (RADIUS). I have already set this type of connection up with
wireless, but I want to extend this to wired.

The problem I'm having, is that when using certs (from our local CA)
assigned to the user account (and mapped in A/D), the 802.1x auth only takes
place *after* the user has logged on, and the switch port is not unblocked
until this time. This does work, but means that the group policies do not
apply (because the switch port is still blocked at this time) and the user
always has to log on with cached credentials. Also, this type of setup
prevents new users logging onto a machine (who don't have a local profile)
which causes other problems.

Ideally I would like to authenticate the computer using 802.1x (and not the
user). This should ensure that the authentication phase takes place earlier,
the policies apply, and the user can logon as normal.

Is this possible using Windows (2000/XP). I can't seem to map a computer
certificate to a computer object in A/D. Does anyone have any
recommendations?

Thanks
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

wired 802.1x security in windows 2000 1
Computer Certificates 1
802.1x and RADIUS servers 6
Windows XP 802.1x authentication fails after a reboot 1
802.1x authentication for point-to-point topology 1
Single Sign On with 802.1x wireless authentication 5
802.1x Machine authentication fails 2
Clients not authenticating using WPA - IAS 1

Top