This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

802.1x and Single Sign-on

802.1x and Single Sign-on

John_Kaftan
New Contributor III

‎02-07-2014 08:12 PM

We have a number of laptops that are mobile labs (Tanks) and in the library for students to check out.
We push the 802.1x settings via AD and it works very well. The problem we have run into is that when we have login set to 'user or computer' and check single sign-on it comes up and logs into the network using the computer name just fine. But then when the user logs in it immediately authenticates 802.1x as the user and then proceeds to churn until ultimately failing with "No logon servers found".
The strangest thing about this is that packet captures reveal that while the machine is churning it is sending out ARPs for its gateway. The gateway replies but the client ignores it. It does this 30-40 times before giving up.
If the user has logged onto the machine before they will get on with cached credentials and they will be fine, other than being grumpy over how long it takes to get on. If they have never logged on before they will get the dreaded "No logon servers found"
Doing a 'ARP -a' at the command line reveals the gateway address is listed and the machine is able to browse just fine.
I don't think this is a wireless\policy issue as I set up the client to get our IT_Admins profile no matter what and also after the client finally stops asking for the gateway's mac address everything is fine.
Our work around is to just set it to Computer authentication only. This is a bummer because we lose visibility as well as the ability to apply user based profiles.

0 Kudos
9 REPLIES 9

Charles_Yang
New Contributor

‎04-11-2014 12:33 AM

John,

Sorry for the much delayed reply.

To clarify, what I meant by using internal CA is to deal with internal users only. in order for the PEAP to work; a server-side public key cert is need to create an encrypted TLS. That is it.

If you are using Microsoft OS as the major portion of your servers and clients, Microsoft implements PEAP-EAP-TLS is utilized which it requires client-side certs.

As you have mentioned in the original post, the behavior of "spinning" is because user certs is not there. if you have a Windows PC, there are two kind of certificate being issued-there are computer certs and user certs. If CA exist on a MS domain, computer certs is automatically issued. The user certs will be issued if modify the MS group policy. If the CA does not exist, then Windows OS will generate a self certs whenever it needs one. for example, a stand alone PC will have a self certs generated by OS when EFS is enabled.

Since you said some of your user traffic are based on non-institutional devices. in this case, in wired environment, I will only implement a MAC PAP based NAC rule to parse the non-institutional devices with a restrictive policy role-- skip the hassle to issue some kind of certs to make PEAP occur --because PEAP encrypts the authentication tunnel only..

-cy

0 Kudos

John_Kaftan
New Contributor III

‎03-26-2014 03:38 PM

We are forcing the server to Validate and the server has to have a externally signed cert because we have computers on our network that are not part of the domain and we do not want to deal with getting our root's cert on non-institution computers. So yes we are using the cert for the server (NAC) to validate itself. I thought you meant using client based certificates to authenticate. We are not doing that.

I figured the cert from the server was just used as a validation mechanism so we can trust the server before we give up our credentials. I can uncheck that in the MS supplicant and everything works fine so I'm not seeing that a certificate is required. Are you saying the cert is required in order for encryption to work?

Thanks

John

0 Kudos

Charles_Yang
New Contributor

‎03-26-2014 03:02 PM

PEAP authentication by default requires you to utilize certificate authority (CA). The error message you are getting is that EAP packet return is asking "where is the (certificate) server?"
If CA is utilized, the conversation gets a bit complicated either it is a "internal" or a "external" CA you are using; thus, you will have some decision to make to setup CA infrastructure (internal certs infrastructure--99% of time). When utilizing the PEAP authentication for wire or wireless connections, certificate is required.

However, if you are not using certificate, there are two ways to deal with the situation.
1) using PEAP setting but uncheck for "certificate server validation" checkbox. (you might be able to fool Microsoft OS that way).

2) or using EAP-MD5 CHAP authentication. This method, requires no certs for deployment. but the downside is that whenever user login, they will have to deal with windows balloon pop-up twice and login (lower right corner NIC icon enablement.) -- not sure if it will work for win7, we tested back in the day for XP.

Using MS-NAP server is up to you. we utilized MS-NAP for NAC redundancy in case of complete failure of NAC infrastructure. (This is for another story).

Using of externally signed certificate might be a good bet, personally we have not going down that route, Having a internal CA or not, there are argument for both cost vs management vs organizational approach. There are pros and cons for both scenarios.

Hope it helps.
0 Kudos

John_Kaftan
New Contributor III

‎03-26-2014 01:16 PM

I am not using certs to authenticate. I am just using username and passwords. As for the server yes I am requiring that it validates itself. I am using an externally signed cert and have the trusted roots checked in the supplicate. I do not have a NAP server setup. What would I do with that?

John
0 Kudos
GTM-P2G8KFN