802.1x For Windows Login Authentication

ChitownjediChitownjedi Chasing down my dreams.Member Posts: 578 ■■■■■□□□□□
Hello,

So, its been a while since I've looked into my CCNA notes, but my boss asked me about what I believe to be 802.1x...

We currently have no Wi-fi set up at our head quarters (I know I know)

They have been doing survey's and everything and we had a meeting and they were mentioning ways to make it easier for the users to connect to the wireless network we will have, and I suggested 802.1x and WPA2-Enterprise....

It has been a while since i've looked over my wireless networking material, I've been focusing on M$ for last 6 months, but I am planning on doing research and giving him the blue print on how to do it (Good chance to have this be a project under my belt)

Just making sure that 802.1x is what I am referring to... when a user logins in to the domain, that same user name and password is authenticated through the radius server that has the ability to query AD/LDAP for credentials correct?

Comments

  • ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■□□
    Yes.

    You can push all of the 802.1x settings out through a GPO and have it be completely transparent to the users also. If they log in with an AD account, they are on the wireless.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
  • RouteMyPacketRouteMyPacket Member Posts: 1,104
    Zart pretty much covered it for you. GPO for sure to handle seamless client authentication to the WLAN.

    I finished a wireless project recently and while I am not a "Wireless" Engineer, it wasn't so bad but definitely lots of little details I would never have known had I not gone through it.

    Throw ISE on top of it and it gets even more crazy.
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
  • pertpert Member Posts: 250
    The way it was described in the CCNA:W made it sounds soooo much easier than it actually was, at least for me. I just setup WPA2-Ent w/ EAP-TLS. I'm not a Linux guy, at all. Setting up Freeradius, the CA, generating the signed certs using openssl and converting them to use for windows machines took me quite a while. I'm sure I could do it now in under 2 hours, but holy hell was that painful to go through the first time. Every guide or walkthrough I read was missing critical information, everytime I had en error the error message was useless, got countless syntax errors with certain commands. I'm happy I've learned it and it was an interesting challenge, but I never would have done it originally if I knew the pain. I miss the days when I worked with other engineers regularly and could get assistance from the linux guru or windows guy.
  • powmiapowmia Users Awaiting Email Confirmation Posts: 322
    A more common deployment scenario in a large enterprise is to NOT use certs... because, as you found out.. it's a pain. If sites manage their own CA servers, it isn't bad and is more secure. If not, or if you just want reduced complexity:

    EAP-TLS machine authentication is a quicker method to deploy. The reasoning for using this a an acceptable method of Network Admission Control, is that if your PC is a member of the domain, then it is allowed to be connected to the network. If a user isn't a legitimate domain user, they can't log onto the computer. Works well enough for most IA types.
  • d4nz1gd4nz1g Member Posts: 464
    802.1x (specially with Cisco devices) are so easy to set up. The part that fcked me up was the cert issues.
    I don't manage Windows over here (i'm on the network team) so the Cert infrastructure is so damn messy...so i told them to configure the clients to skip cert validation.

    Here are my 2 cents about the framework. (Don't know if its 100% correct, but i believe its something like that.)

Sign In or Register to comment.