cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x Authentication & VLAN's

802.1x Authentication & VLAN's

Bill_Bixby
New Contributor
We've rolled out 802.x auth to our wired clients and setup Windows NPS policies to determine what VLAN's the connected port is placed into by using attribute 203 and the string name of the VLAN.

This works very well so far, but I just stumbled over a special case that is making life difficult.

Normally the ports end up in TRUST or VOICE (or a combination for pass-trhu) for authenticated users/devices. Or they end up in GUEST if they are unable to authenticate.

My problem is that I need a SPECIAL VLAN for certain machines. The problem relates not to the machine, but to the user. The machine matches an NPS policy that puts the port into the SPECIAL VLAN. But as soon as the user authenticates the NPS puts the port into the TRUST VLAN 😞

Ideally I'd like to see a computer AND user authentication, but I understand MS NPS can't do that as the authentication process from the switch only sends one type of authentication computer OR user.

I then wondered if there was a way NPS could return a "Don't change the VLAN" message in the RADIUS attribute? That way the computer could authenticate, be placed into the SPECIAL VLAN and when the user authenticates the message is just simply authenticated.

What actually happens if I don't return the 203 attribute is the port returns to the AuthVLAN.

Has anyone got any ideas on either a computer AND user or a no change scenario?

2 REPLIES 2

Christoph
Contributor
If your special machines are windows devices you can set the NIC to machine authentication only. If a user login occurs the device is not using the user credentials for 802.1x.

Brian_Anderson3
New Contributor
Do you have a NPS policy setup for your computers? If not, then you can do the same type of setup on the user policy with the computer policy, just with the computer policy setup Domain Computers for the group in your NPS policy.
GTM-P2G8KFN