locked
8021.x certificate based authentication with Cisco Switches RRS feed

  • Question

  • Hi

    I am looking to implement 802.1x using NPS and Cisco switches and looking for some help. We have CA setup and all computers are getting certificates automatically. We want to use computer authentication via certificate so machines can be connected to network before users logs in.

    Can do with User authentication but not sure if that will cause issue with user logins as authentication will happen after user logged in.

    Would appreciate if someone can point to some tutorial or instruction on NPS side and Cisco switch side.

    Thanks in advance

    Monday, June 20, 2016 8:35 AM

Answers

  • Hi,

    It sounds like you're talking about wired 802.1x. Is this correct? It doesn't strictly matter as you can perform both user and computer (i.e. device) authentication over wired or wireless but I'm just curious as to the exact scenario.

    Also, are you specifically looking to use port-level security or are you just looking to use 802.1x to differentiate between full network access versus restricted? If it's the latter, then you don't need to invest as much effort into setting up the Cisco switches as RADIUS clients.

    Anyhow, moving along.

    If you are indeed interested in port-level security then you should have a read of this Cisco IOS guide to wired 802.1x. Just remember that from a NPS RADIUS perspective, each switch is just another RADIUS client entry (in the NPS console, if you're not familiar with it).

    With respect to the user versus computer authentication scenarios, you might want to cater to both. Computer (or device) authentication provides for the most streamlined user scenario as the client authenticates as part of the boot process and processes things like computer and user group policy as per normal as well as the user logon process. You can certainly still use user pre-authentication in an 802.1x wireless scenario but I've not ever seriously considered user authentication for wired 802.1x.

    Getting back to the "cater to both" part, you might want to allow 802.1x user authentication so that mobile devices (at least those that can handle storing certificates and can make use of 802.1x authentication) can connect, which typically involves selecting the "Wireless - IEEE 802.11" NAS Port Type in appropriate network policy rule. If you then have a second network policy rule - as you should, for wired, you would configure this to only allow device authentication using EAP-TLS, which is listed as "Microsoft: Smartcard or other certificate" in the "Authentication Methods" (under Constraints).

    In short, there's a number of ways you can implement 802.1x. You need to perhaps review them and decide which best matches your business requirements (hopefully you're not just doing this for the fun of it) and once you do, look at what that specific implementation involves.

    Cheers,
    Lain

    Tuesday, June 21, 2016 8:57 AM

All replies

  • Hi,

    >>Would appreciate if someone can point to some tutorial or instruction on NPS side and Cisco switch side.

    Here is the link for your reference:

    Deploy Client Computer Certificates

    https://technet.microsoft.com/en-us/library/cc731242(v=ws.10).aspx

    Certificates and NPS

    https://technet.microsoft.com/en-us/library/cc772401(v=ws.10).aspx

    Configure RRAS with a Computer Authentication Certificate

    https://technet.microsoft.com/en-us/library/dd458982%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396

    And for Cisco side,you might contact Cisco for more support.

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, June 21, 2016 7:58 AM
  • Hi,

    It sounds like you're talking about wired 802.1x. Is this correct? It doesn't strictly matter as you can perform both user and computer (i.e. device) authentication over wired or wireless but I'm just curious as to the exact scenario.

    Also, are you specifically looking to use port-level security or are you just looking to use 802.1x to differentiate between full network access versus restricted? If it's the latter, then you don't need to invest as much effort into setting up the Cisco switches as RADIUS clients.

    Anyhow, moving along.

    If you are indeed interested in port-level security then you should have a read of this Cisco IOS guide to wired 802.1x. Just remember that from a NPS RADIUS perspective, each switch is just another RADIUS client entry (in the NPS console, if you're not familiar with it).

    With respect to the user versus computer authentication scenarios, you might want to cater to both. Computer (or device) authentication provides for the most streamlined user scenario as the client authenticates as part of the boot process and processes things like computer and user group policy as per normal as well as the user logon process. You can certainly still use user pre-authentication in an 802.1x wireless scenario but I've not ever seriously considered user authentication for wired 802.1x.

    Getting back to the "cater to both" part, you might want to allow 802.1x user authentication so that mobile devices (at least those that can handle storing certificates and can make use of 802.1x authentication) can connect, which typically involves selecting the "Wireless - IEEE 802.11" NAS Port Type in appropriate network policy rule. If you then have a second network policy rule - as you should, for wired, you would configure this to only allow device authentication using EAP-TLS, which is listed as "Microsoft: Smartcard or other certificate" in the "Authentication Methods" (under Constraints).

    In short, there's a number of ways you can implement 802.1x. You need to perhaps review them and decide which best matches your business requirements (hopefully you're not just doing this for the fun of it) and once you do, look at what that specific implementation involves.

    Cheers,
    Lain

    Tuesday, June 21, 2016 8:57 AM