locked
802.1x NAP enforcement for Linux? RRS feed

  • Question

  • Hello everyone,

    I have successfully configured 802.1x enforcement already, but our network environment is very heterogenous. We have lot of various linux desktop clients (no chance to change this) - like Debian, Fedora, Suse, Ubuntu. I want to join these Linux-based computers to 802.1x NAP enforcement. I tried some comercial NAP clients for Linux, but there is no client with support for all our linux distributions.

    Is there any universal linux NAP client without health checks? Do not need so much, only 802.1x login and switch to one vlan automatically without health checks.

    Any solution / link? Thank you.

    Tuesday, October 26, 2010 3:09 PM

Answers

  • Hi Jiri,

     

    Please understand that I am not quite familiar with how to implement 802.1x based port redirect with Linux clients.

    However you might take look Open1X ,a 802.1x open source implantation,perhaps it would help you to achieve the goal:

     

    Open1X

    http://open1x.sourceforge.net/

     

    Important Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, October 27, 2010 8:44 AM
  • Hi,

    If you are not interested in health checks, then you do not need the NAP client. All you need is 802.1X authentication.

    NAP does not affect the 802.1X authentication process per se. It only adds additional data to the authorization that occurs after authentication is successful. The additional data added is computer "health" which is sometimes called machine "posture." This information is used to place the computer in a VLAN but only because it changes the Network Policy (the authorization policy) that is matched by the client computer.

    In other words, as long as your Network Policy contains instructions to move the client computer to a certain VLAN, it doesn't matter if the policy has a health requirement as one of its conditions. I hope this makes sense.

    -Greg 

    Friday, October 29, 2010 12:46 AM

All replies

  • Hi Jiri,

     

    Please understand that I am not quite familiar with how to implement 802.1x based port redirect with Linux clients.

    However you might take look Open1X ,a 802.1x open source implantation,perhaps it would help you to achieve the goal:

     

    Open1X

    http://open1x.sourceforge.net/

     

    Important Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, October 27, 2010 8:44 AM
  • Hi,

    If you are not interested in health checks, then you do not need the NAP client. All you need is 802.1X authentication.

    NAP does not affect the 802.1X authentication process per se. It only adds additional data to the authorization that occurs after authentication is successful. The additional data added is computer "health" which is sometimes called machine "posture." This information is used to place the computer in a VLAN but only because it changes the Network Policy (the authorization policy) that is matched by the client computer.

    In other words, as long as your Network Policy contains instructions to move the client computer to a certain VLAN, it doesn't matter if the policy has a health requirement as one of its conditions. I hope this makes sense.

    -Greg 

    Friday, October 29, 2010 12:46 AM
  • Hi,

    thank you for your posts. I am glad, that solution is possible somehow. OK, we can install 802.1x authentication client into linux desktop, but this is not last solution, if i want to use authentication server on Windows Server with NAP (the same server like NAP server for Windows desktops). There must be some way how to make linux desktop to send good "health check" command into server. Without this "health check" command will be all linux desktops turned into "noncompliant" VLAN.

    But i have got some trouble with our network switch now. I must solve this, then i will take a look for solution you have posted. Thank you for your posts, i will answer after few days.

    Thanks, JS

    PS: I am sorry for my poor language experience - i am from Czech republic

    Monday, November 1, 2010 8:22 AM
  • I am not able to find how to get the correct CA certificate. Whitch one to choose? If i use http://servername/certsrv link, it does not work on my server 2008 R2. If i look into Windows clients, there are 5 root certificates from my server.
    Monday, November 15, 2010 9:53 AM
  • Hi,

    The certificate on NPS must have the server authentication EKU, which stands for Enhanced Key Usage. This is the *purpose* of the certificate. View the properties of the certificate to check this.

    Assuming the certificate has this EKU, you must next view the Root CA that issued the certificate to NPS. This will be in the Certificate Path.

    The client must trust the Root CA (the first CA) in the certificate path. If you have multiple certificates from your Root CA displayed in the client's Trusted Root Certificate Authorities store, that is fine. Some of these could be expired. Make sure that you are viewing the Computer certificate store and not the User certificate store.

    -Greg

    Monday, November 15, 2010 10:38 AM