This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- 802.1x user authentication and Machine authenticat...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
802.1x user authentication and Machine authentication via certificate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā05-31-2019 12:39 PM
Hi All
I have configured a wifi SSID to autenticate user via 802.1x user credential by LDAP Microsoft, using a NAC appliance, where I have configured the below rule, that match a specific LDAP user group, and a specific SSID.
I need to authenticate user & machine in the same time, user via LADP credential and machine via certificate.
Someone could help me?
I have configured a wifi SSID to autenticate user via 802.1x user credential by LDAP Microsoft, using a NAC appliance, where I have configured the below rule, that match a specific LDAP user group, and a specific SSID.
I need to authenticate user & machine in the same time, user via LADP credential and machine via certificate.
Someone could help me?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā08-11-2021 08:31 AM
Hi Tomasz,
Thank you for your reply. I was talking about the EAP-TEAP with a vendor of our Extreme solutions. They contacted Extreme directly and found out that Extreme NAC does not support EAP-TEAP yet. However, itās in their road map so hopefully somedayā¦
Nevertheless, there should be basically two workarounds. The first one is the one youāre describing in your previous post. I can be done either manually or using the workflow you provided.
The second one is to create two rules. First for machine certificate authentication and second one for identity authentication (credentials in AD). For this option you need to set your Windows supplicant for EAP-TEAP authentication, but I was told, that it does not work very well. However, I havenāt tried it myself, so who knows, it may be the way.
Iām not an expert in AD/GPO myself, but I donāt believe that there is a āuser-friendlyā solution. And even if it was, I would like to assign different VLANs to different groups of users, which wouldnāt be possible, right? The NAC would just let the machine to the network, but Iād have to have a user certificate (which I donāt have) to assign a specific VLAN. With machine certificate only, the NAC would know that the machine is from our company, therefore let it in, but wouldnāt know which user uses it, so I canāt create any user group.
Regards,
Jakub
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā08-11-2021 09:09 PM
Hi Jakub,
Iād love to see this being delivered in some future update.
For the time being, we could try to collect MAC addresses of corporate devices and have this end-system group as an additional criteria for AD users to be AAAād successfully. This would not help however regarding users logging in from other corp stations than their own ones. It wouldnāt help for MAC spoofing either, but neither 802.1X is resilient against MitM. Itās a matter of risk assessment IMHO.
Wouldnāt there be an attribute that could be applied to corporate devices in AD so they can be verified for this or that VLAN assignment? We can do End-system Group of type āLDAP Host Groupā and lookup some attributes for hosts same way as for users in User Group of type āLDAP User Groupā (the real difference is this or that section of LDAP connection configuration that is used to pull data).
Hope that helps,
Tomasz
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā08-11-2021 08:31 AM
Hi Tomasz,
Thank you for your reply. I was talking about the EAP-TEAP with a vendor of our Extreme solutions. They contacted Extreme directly and found out that Extreme NAC does not support EAP-TEAP yet. However, itās in their road map so hopefully somedayā¦
Nevertheless, there should be basically two workarounds. The first one is the one youāre describing in your previous post. I can be done either manually or using the workflow you provided.
The second one is to create two rules. First for machine certificate authentication and second one for identity authentication (credentials in AD). For this option you need to set your Windows supplicant for EAP-TEAP authentication, but I was told, that it does not work very well. However, I havenāt tried it myself, so who knows, it may be the way.
Iām not an expert in AD/GPO myself, but I donāt believe that there is a āuser-friendlyā solution. And even if it was, I would like to assign different VLANs to different groups of users, which wouldnāt be possible, right? The NAC would just let the machine to the network, but Iād have to have a user certificate (which I donāt have) to assign a specific VLAN. With machine certificate only, the NAC would know that the machine is from our company, therefore let it in, but wouldnāt know which user uses it, so I canāt create any user group.
Regards,
Jakub
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā08-09-2021 08:18 PM
Hi Jakub,
Windows 10 hosts started supporting EAP-TEAP a bit ago but I didnāt play with it yet.
Besides, XMC can provide you a workflow that was linked above. Itās about EAC storing the authenticated host MAC address and verify if the user auth happens from a verified host.
Iād love to see further progress on that. BTW, Iām not that deep in AD/GPO, wouldnāt it be possible to prevent unwanted users from logging in to the laptop, and thus only having to focus on the machine auth on the network side?
Kind regards,
Tomasz
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā08-05-2021 12:56 PM
Hi all,
there are two showstoppers:
- 802.1X only supports device OR user authentication per authentication session while most Extreme devices do not support reauthentication triggerdd by NAC to get the second shot with 802.1X with username
- there is no field (column) in XMC/NAC per session for the real āusernameā when username is filled with hostname after device authentication
We are looking for that since long time ago when Trapeze had that in their wifi solution !!
Yes, itĀ“s possibly working with caching the authenticated device (TLS) and use this behaviour for user authentication (PEAP)ā¦Windows is in this case not a reliable platform with all the dependencies.
Changing the order and start with PEAP (user auth) and validate the device in AD device group is another option.
At the end of the day, using TLS is the best and most reliable way for secure authentication of a device.
btw: Cisco is using EAP-TEAP for EAP chainingā¦.
br
Volker
