+ Reply to Thread
Results 1 to 6 of 6
  1. Chasing down my dreams. Chitownjedi's Avatar
    Join Date
    May 2012
    Location
    Censored Ave
    Posts
    557
    #1

    Default 802.1x For Windows Login Authentication

    Hello,

    So, its been a while since I've looked into my CCNA notes, but my boss asked me about what I believe to be 802.1x...

    We currently have no Wi-fi set up at our head quarters (I know I know)

    They have been doing survey's and everything and we had a meeting and they were mentioning ways to make it easier for the users to connect to the wireless network we will have, and I suggested 802.1x and WPA2-Enterprise....

    It has been a while since i've looked over my wireless networking material, I've been focusing on M$ for last 6 months, but I am planning on doing research and giving him the blue print on how to do it (Good chance to have this be a project under my belt)

    Just making sure that 802.1x is what I am referring to... when a user logins in to the domain, that same user name and password is authenticated through the radius server that has the ability to query AD/LDAP for credentials correct?
    Reply With Quote Quote  

  2. SS -->
  3. He Hate Me Zartanasaurus's Avatar
    Join Date
    Sep 2009
    Posts
    1,978

    Certifications
    CCIE:R&S
    #2
    Yes.

    You can push all of the 802.1x settings out through a GPO and have it be completely transparent to the users also. If they log in with an AD account, they are on the wireless.
    Reply With Quote Quote  

  4. Senior Member RouteMyPacket's Avatar
    Join Date
    Aug 2012
    Location
    Dallas
    Posts
    1,077

    Certifications
    CCWKIA (Cisco Certified Wannabe Know It All)
    #3
    Zart pretty much covered it for you. GPO for sure to handle seamless client authentication to the WLAN.

    I finished a wireless project recently and while I am not a "Wireless" Engineer, it wasn't so bad but definitely lots of little details I would never have known had I not gone through it.

    Throw ISE on top of it and it gets even more crazy.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Aug 2009
    Posts
    250

    Certifications
    CCNP R/S, CCNA Wireless, BCNP, BCNE, SCP, A+, N+
    #4
    The way it was described in the CCNA:W made it sounds soooo much easier than it actually was, at least for me. I just setup WPA2-Ent w/ EAP-TLS. I'm not a Linux guy, at all. Setting up Freeradius, the CA, generating the signed certs using openssl and converting them to use for windows machines took me quite a while. I'm sure I could do it now in under 2 hours, but holy hell was that painful to go through the first time. Every guide or walkthrough I read was missing critical information, everytime I had en error the error message was useless, got countless syntax errors with certain commands. I'm happy I've learned it and it was an interesting challenge, but I never would have done it originally if I knew the pain. I miss the days when I worked with other engineers regularly and could get assistance from the linux guru or windows guy.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Mar 2013
    Location
    .
    Posts
    319

    Certifications
    .
    #5
    A more common deployment scenario in a large enterprise is to NOT use certs... because, as you found out.. it's a pain. If sites manage their own CA servers, it isn't bad and is more secure. If not, or if you just want reduced complexity:

    EAP-TLS machine authentication is a quicker method to deploy. The reasoning for using this a an acceptable method of Network Admission Control, is that if your PC is a member of the domain, then it is allowed to be connected to the network. If a user isn't a legitimate domain user, they can't log onto the computer. Works well enough for most IA types.
    Reply With Quote Quote  

  7. Padawan d4nz1g's Avatar
    Join Date
    May 2013
    Location
    Brazil
    Posts
    424

    Certifications
    CCNP, BCNE, CCNA, CCNA Sec, MCSA2k8, IPv6 Silver
    #6
    802.1x (specially with Cisco devices) are so easy to set up. The part that fcked me up was the cert issues.
    I don't manage Windows over here (i'm on the network team) so the Cert infrastructure is so damn messy...so i told them to configure the clients to skip cert validation.

    Here are my 2 cents about the framework. (Don't know if its 100% correct, but i believe its something like that.)

    dot1xx.png
    2017 - CCIE RS
    Labbing, labbing, labbing.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks