none
NAP 802.1x EAP with Certificate - Deployment with Procurve Dynamic ACL / per User ACL RRS feed

  • שאלה

  • Hello,

    i try to accomplish the following:

    Notebook is in a restricted state from the start and only has access to DHCP/PXE Server and our Deployment Solution
    After startup it authenticates with its computer certificate to the NPS server
    If valid it gets full access (or whatever the NAP Client says)
    If not valid or not existing it stays restricted

    What i tested out till now:

    NAP 802.1x EAP with Certificate is up and running.

    But:

    No certificate no access at all.
    Although i configured an extended control list on the procurve and added the filter-id to not compliant.
    Another try was to set the restricted access control list as a static ACL on the interface and then switch to the allowed ACL when authorized.
    But the switch just don't get the command to apply the "allowed ACL" to the port. Is there something i'm missing?

    I only find tutorials and tips for cisco router/switches. So can anyone help me to apply the filter-id or even better a per user ACL (so that the NPS sends the ACL to the switch (less configuration for me).

     

    Greets
    Stephan

    יום שלישי 29 נובמבר 2011 14:31

תשובות

  • Hi Stephan,

    The switch requests 802.1X authentication from the client and will not accept a client that uses a "no authentication" setting. This setting is for a port that does not have 802.1X enabled, or for a client connecting through a hub.

    It's important to understand that the switch is what requests authentication, not NPS. The switch forwards the response that it gets to NPS where it is evaluated. If the switch requests authentication and gets no response, it will drop the connection without even sending anything to NPS. If the switch requests credentials and incorrect username/password is provided, this will be forwarded to NPS where RADIUS will deny the connection.

    -Greg


    יום שני 05 דצמבר 2011 05:11
    בעלים

כל התגובות

  • Hi Stephan,

    To use NAP with 802.1X enforcement, the computer must be able to complete 802.1X authentication. If you have configured the client computer for certificate authentication (PEAP-TLS) but there is no certificate, it will fail authentication. In this situation, the computer has essentially provided no credentials to the switch, so the switch has nothing to send to NPS.

    If the switch has a guest VLAN configured, the port should fail over to this VLAN. This is not something controlled by NPS, so the filter-id attribute will have no effect.

    Please let me know if I am not interpreting your scenario correctly.

    Thanks,

    -Greg

    יום רביעי 30 נובמבר 2011 20:58
    בעלים
  • Hello Greg,

    thanks for you answer. Sure if there is no certificate available (e.g. when the client boots) it is "not authorized".

    But if that is what happens i want NPS to send an ACL that restricts the access to the network only allowing DHCP PXE DNS for example. I don't want to use a guest vlan and it is also described in the book "Windows Server 2008 Networking and NAP" that ACL is a better way to deal with this, because the clients in a guest vlan can communicate with each other (and maybe spread viruses ;) ) also our software deployment software would need a reconfiguration so are the ip phones.
    But another thing is, we have a managed VLAN between our offices which does not route VLANs.

    I got help from a procurve specialist yesterday who helped me with some documents about NPS applying RADIUS ACLs. So i will switch from the static ACLs to dynamic ACLs and see if that is working.

    But how can i specify in NPS that if a certificate is available and valid get this ACL and if not, apply the other one?

    I will set up an english W2k8R2 today so that i now the right english expressions (OS is german atm).

     

    Greets
    Stephan

    יום חמישי 01 דצמבר 2011 06:25
  • Hi Stephan,

    It isn't possible to create a rule on NPS that is specific to whether or not a client has a certificate. The closest thing is to configure PEAP-TLS in connection request policy.

    To use NAP with 802.1X, you must use either PEAP-TLS or PEAP-MSCHAPv2. It might be possible to configure an ACL in connection request policy and have a different ACL for clients that use PEAP-TLS vs. those that use PEAP-MSCHAPv2, but it isn't possible to configure an ACL for clients that fail authentication.

    -Greg

    יום חמישי 01 דצמבר 2011 22:26
    בעלים
  • Hi Greg,

    at the moment it is configured with PEAP-TLS.

    I thought that when i have a NPS Policy at "1" with the certificate authentication (with permit any any)
    And a NPS policy with no authentication what so ever (at place "2") and apply the ACL there for restricted access.

    It will first check for 1 .. fails .. get the second one and gets restricted.
    And after the boot of windows it will get access to its certificate and authenticates again and gets access (corporate client) or will fail (other client).

    Isn't that possible ? But i'm still having problems applying the RADIUS ACLs so i'm still far away from this ;)

     

    Maybe some procurve specialists are here. This is the problem what i'm encounter:

    I've set up the VSA in NPS like described in the "2910al Access & Security Guide".

    Entry:

    Vendor specific:

    code: 11 vsa: 61

    string:

    HP-Nas-filter-Rule="permit in ip from any to 172.20.XX.XX/22"

    Errors in the log of the router:

    I 01/03/90 20:31:16 00699 idm: ACE parsing error, permit/deny keyword, aceIndex 1, client 2C4138074XXX, port 4
    I 01/03/90 20:30:00 00699 idm: ACE parsing error, permit/deny keyword, aceIndex 1, client 2C4138074XXX, port 4
    I 01/03/90 20:28:43 00699 idm: ACE parsing error, permit/deny keyword, aceIndex 1, client 2C4138074XXX, port 4

    Greets
    Stephan

     



    • נערך על-ידי Stephan G יום שישי 02 דצמבר 2011 10:42
    יום שישי 02 דצמבר 2011 10:33
  • Hi Stephan,

    The switch requests 802.1X authentication from the client and will not accept a client that uses a "no authentication" setting. This setting is for a port that does not have 802.1X enabled, or for a client connecting through a hub.

    It's important to understand that the switch is what requests authentication, not NPS. The switch forwards the response that it gets to NPS where it is evaluated. If the switch requests authentication and gets no response, it will drop the connection without even sending anything to NPS. If the switch requests credentials and incorrect username/password is provided, this will be forwarded to NPS where RADIUS will deny the connection.

    -Greg


    יום שני 05 דצמבר 2011 05:11
    בעלים
  • Hi Greg,

    maybe i need another Tool like IDM to accomplish this.

    But at the moment i need NPS to work with RADIUS ACLs. Because this should work.

    Thanks for your help. If i get it working i will post it here.

     

    Regards

    Stephan

    יום שלישי 06 דצמבר 2011 12:02
  • Hi Stephen,

    Did you solved it ?

    Because I have the seem issue!

    Greets

    angel

    יום רביעי 06 נובמבר 2019 15:25