locked
Wired 802.1X to allow only domain joined PC's RRS feed

  • Question

  • Guys, do you have nay suggestion on above matter related to wired cisco switches and 802.1x? We would like to close one vlan only to domain joined PC's that have i.e. Enterprise CA certificate issued or similar. Any suggestion on the matter would be appreciated. Anybody did it using NAP?

    Thank you.

    Monday, August 24, 2015 9:37 AM

Answers

  • Hi david_kr,

    According to your description, you want to allow only domain users to connect to wired 802.1X. We may use NAP Enforcement for 802.1X wired to achieve your goal.

    To deploy NAP with 802.1X, we may perform the general configurations below:

    1. Determine whether you want to use PEAP-MS-CHAP v2 or PEAP-TLS as the authentication method. Then enroll the corresponding server certificate to NPS servers
    2. Configure 802.1X wired clients using Group Policy.
    3. Configure 802.1X authenticating switches as RADIUS clients in NPS.
    4. Create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to access the network through the switches.
    5. In NPS, configure health policies, connection request policies, and network policies that enforce NAP for 802.1X wired access.

    Here is the detailed checklist about how to configure NAP enforcement for 802.1X wired.

    https://technet.microsoft.com/en-us/library/Cc730926(v=WS.10).aspx

    Best regards,

    Anne he


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Burak Uğur Wednesday, August 26, 2015 8:39 AM
    • Marked as answer by Steven_Lee0510 Wednesday, September 9, 2015 5:58 AM
    Tuesday, August 25, 2015 8:27 AM

All replies

  • If you have CiscoSecure ACS or any other radius server supports mac based authentication you can use both dot1x and MAB at the same port. dot1x failed clients authenticated by according to their mac address. 
    Monday, August 24, 2015 9:44 AM
  • Hm, that sounds very convenient. Just to check if I understood correctly, if some PC's is not 802.1x capable you could allow it using MAC. Does this also applies for i.e. denied PC but you want to override the dot1x?

    I'm somewhat worried about GPO and similar policies processing. Anybody has this in the operation?

    THNX

    Monday, August 24, 2015 10:11 AM
  • Hi david_kr,

    According to your description, you want to allow only domain users to connect to wired 802.1X. We may use NAP Enforcement for 802.1X wired to achieve your goal.

    To deploy NAP with 802.1X, we may perform the general configurations below:

    1. Determine whether you want to use PEAP-MS-CHAP v2 or PEAP-TLS as the authentication method. Then enroll the corresponding server certificate to NPS servers
    2. Configure 802.1X wired clients using Group Policy.
    3. Configure 802.1X authenticating switches as RADIUS clients in NPS.
    4. Create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to access the network through the switches.
    5. In NPS, configure health policies, connection request policies, and network policies that enforce NAP for 802.1X wired access.

    Here is the detailed checklist about how to configure NAP enforcement for 802.1X wired.

    https://technet.microsoft.com/en-us/library/Cc730926(v=WS.10).aspx

    Best regards,

    Anne he


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Burak Uğur Wednesday, August 26, 2015 8:39 AM
    • Marked as answer by Steven_Lee0510 Wednesday, September 9, 2015 5:58 AM
    Tuesday, August 25, 2015 8:27 AM
  • I'm guessing similar if not the same procedure is applicable to the computer objects? I'm more interested in allowing or restricting domain joined PC's.

    OK, thank you for the help. I'll give it a try.

    Wednesday, August 26, 2015 7:41 AM