802.1x Authentication & VLAN's

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • (Edited)
We've rolled out 802.x auth to our wired clients and setup Windows NPS policies to determine what VLAN's the connected port is placed into by using attribute 203 and the string name of the VLAN.

This works very well so far, but I just stumbled over a special case that is making life difficult.

Normally the ports end up in TRUST or VOICE (or a combination for pass-trhu) for authenticated users/devices. Or they end up in GUEST if they are unable to authenticate.

My problem is that I need a SPECIAL VLAN for certain machines. The problem relates not to the machine, but to the user. The machine matches an NPS policy that puts the port into the SPECIAL VLAN. But as soon as the user authenticates the NPS puts the port into the TRUST VLAN :(

Ideally I'd like to see a computer AND user authentication, but I understand MS NPS can't do that as the authentication process from the switch only sends one type of authentication computer OR user.

I then wondered if there was a way NPS could return a "Don't change the VLAN" message in the RADIUS attribute? That way the computer could authenticate, be placed into the SPECIAL VLAN and when the user authenticates the message is just simply authenticated.

What actually happens if I don't return the 203 attribute is the port returns to the AuthVLAN.

Has anyone got any ideas on either a computer AND user or a no change scenario?
Photo of Bill Bixby

Bill Bixby

  • 70 Points
  • frustrated

Posted 4 years ago

  • 0
  • 1
Photo of Brian Anderson

Brian Anderson

  • 626 Points 500 badge 2x thumb
Do you have a NPS policy setup for your computers?  If not, then you can do the same type of setup on the user policy with the computer policy, just with the computer policy setup Domain Computers for the group in your NPS policy. 
Photo of Christoph

Christoph

  • 1,842 Points 1k badge 2x thumb
If your special machines are windows devices you can set the NIC to machine authentication only. If a user login occurs the device is not using the user credentials for 802.1x.