NAC Authenticaton at Domain Controller

  • 0
  • 3
  • Question
  • Updated 1 year ago
  • Answered

Hello Community,

we have one Netsight appliance and two NAC-Controller in action. Firmware of all is 8.0.2.42.

After MAC Authentication is working very well, we have activated 802.1x Authentication on the first switch. At first, it works fine. But I have a Question with the Authentication from the NAC-Manager/NAC-Gateway to the Windows Domaincontroller.

We wanted to restrict the Access for the user from the NAC-Manager, which asks the domain for the Clientuser. He should only get Access if he comes from the NAC-Gateway. In this way nobody can block the user account by wrong authentications.

Now we looked at the logfiles from the Domaincontroller. There we see, that the Access Request for the Client is not coming from the NAC-Gateway but from the Domaincontroller itself. So we have to give Access if the NAC-Admin comes from the Domaincontroller.

Can anybody verify this behavior? Can anybody explain this?

Regards, Daniel

Photo of Daniel B

Daniel B

  • 360 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 3
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,192 Points 5k badge 2x thumb
Hello Daniel,

I'm not quite sure what you are asking.

From an authentication perspective there are 2 different ways this could be happening. 

Either you have LDAP authentication setup where RADIUS will be terminated at the NAC, or you have proxy RADIUS where NAC will relay the RADIUS traffic to the NPS service on Microsoft server. 

The RADIUS request should always flow TO the NPS server and not from.

Thanks
-Ryan
Photo of Daniel B

Daniel B

  • 360 Points 250 badge 2x thumb

Hello Ryan,

we have LDAP authentication running.
I have authentication data expected from the nac to the domain controller, but I see the nac request with the domain controller as the source system.

Regards Daniel

Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,192 Points 5k badge 2x thumb
I'm still not quite sure what you're seeing. Would you be able to attach a screenshot or log to provide details of what you're seeing?

In an LDAP authentication environment all RADIUS traffic will be contained between the authenticating switch and the NAC appliance. NAC will then use DCERPC calls to the domain controller to perform NTLM authentication, not RADIUS.

Thanks
-Ryan