NAC Authenticaton at Domain Controller
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-08-2017 10:48 AM
Hello Community,
we have one Netsight appliance and two NAC-Controller in action. Firmware of all is 8.0.2.42.
After MAC Authentication is working very well, we have activated 802.1x Authentication on the first switch. At first, it works fine. But I have a Question with the Authentication from the NAC-Manager/NAC-Gateway to the Windows Domaincontroller.
We wanted to restrict the Access for the user from the NAC-Manager, which asks the domain for the Clientuser. He should only get Access if he comes from the NAC-Gateway. In this way nobody can block the user account by wrong authentications.
Now we looked at the logfiles from the Domaincontroller. There we see, that the Access Request for the Client is not coming from the NAC-Gateway but from the Domaincontroller itself. So we have to give Access if the NAC-Admin comes from the Domaincontroller.
Can anybody verify this behavior? Can anybody explain this?
Regards, Daniel
we have one Netsight appliance and two NAC-Controller in action. Firmware of all is 8.0.2.42.
After MAC Authentication is working very well, we have activated 802.1x Authentication on the first switch. At first, it works fine. But I have a Question with the Authentication from the NAC-Manager/NAC-Gateway to the Windows Domaincontroller.
We wanted to restrict the Access for the user from the NAC-Manager, which asks the domain for the Clientuser. He should only get Access if he comes from the NAC-Gateway. In this way nobody can block the user account by wrong authentications.
Now we looked at the logfiles from the Domaincontroller. There we see, that the Access Request for the Client is not coming from the NAC-Gateway but from the Domaincontroller itself. So we have to give Access if the NAC-Admin comes from the Domaincontroller.
Can anybody verify this behavior? Can anybody explain this?
Regards, Daniel
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-09-2017 10:21 AM
I'm still not quite sure what you're seeing. Would you be able to attach a screenshot or log to provide details of what you're seeing?
In an LDAP authentication environment all RADIUS traffic will be contained between the authenticating switch and the NAC appliance. NAC will then use DCERPC calls to the domain controller to perform NTLM authentication, not RADIUS.
Thanks
-Ryan
In an LDAP authentication environment all RADIUS traffic will be contained between the authenticating switch and the NAC appliance. NAC will then use DCERPC calls to the domain controller to perform NTLM authentication, not RADIUS.
Thanks
-Ryan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-09-2017 03:49 AM
Hello Ryan,
we have LDAP authentication running.
I have authentication data expected from the nac to the domain controller, but I see the nac request with the domain controller as the source system.
Regards Daniel
we have LDAP authentication running.
I have authentication data expected from the nac to the domain controller, but I see the nac request with the domain controller as the source system.
Regards Daniel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-08-2017 11:09 AM
Hello Daniel,
I'm not quite sure what you are asking.
From an authentication perspective there are 2 different ways this could be happening.
Either you have LDAP authentication setup where RADIUS will be terminated at the NAC, or you have proxy RADIUS where NAC will relay the RADIUS traffic to the NPS service on Microsoft server.
The RADIUS request should always flow TO the NPS server and not from.
Thanks
-Ryan
I'm not quite sure what you are asking.
From an authentication perspective there are 2 different ways this could be happening.
Either you have LDAP authentication setup where RADIUS will be terminated at the NAC, or you have proxy RADIUS where NAC will relay the RADIUS traffic to the NPS service on Microsoft server.
The RADIUS request should always flow TO the NPS server and not from.
Thanks
-Ryan
