802.1x For Windows Login Authentication
Chitownjedi
Member Posts: 578 ■■■■■□□□□□
Hello,
So, its been a while since I've looked into my CCNA notes, but my boss asked me about what I believe to be 802.1x...
We currently have no Wi-fi set up at our head quarters (I know I know)
They have been doing survey's and everything and we had a meeting and they were mentioning ways to make it easier for the users to connect to the wireless network we will have, and I suggested 802.1x and WPA2-Enterprise....
It has been a while since i've looked over my wireless networking material, I've been focusing on M$ for last 6 months, but I am planning on doing research and giving him the blue print on how to do it (Good chance to have this be a project under my belt)
Just making sure that 802.1x is what I am referring to... when a user logins in to the domain, that same user name and password is authenticated through the radius server that has the ability to query AD/LDAP for credentials correct?
So, its been a while since I've looked into my CCNA notes, but my boss asked me about what I believe to be 802.1x...
We currently have no Wi-fi set up at our head quarters (I know I know)
They have been doing survey's and everything and we had a meeting and they were mentioning ways to make it easier for the users to connect to the wireless network we will have, and I suggested 802.1x and WPA2-Enterprise....
It has been a while since i've looked over my wireless networking material, I've been focusing on M$ for last 6 months, but I am planning on doing research and giving him the blue print on how to do it (Good chance to have this be a project under my belt)
Just making sure that 802.1x is what I am referring to... when a user logins in to the domain, that same user name and password is authenticated through the radius server that has the ability to query AD/LDAP for credentials correct?
Comments
-
Zartanasaurus Member Posts: 2,008 ■■■■■■■■■□Yes.
You can push all of the 802.1x settings out through a GPO and have it be completely transparent to the users also. If they log in with an AD account, they are on the wireless.Currently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8% -
RouteMyPacket Member Posts: 1,104Zart pretty much covered it for you. GPO for sure to handle seamless client authentication to the WLAN.
I finished a wireless project recently and while I am not a "Wireless" Engineer, it wasn't so bad but definitely lots of little details I would never have known had I not gone through it.
Throw ISE on top of it and it gets even more crazy.Modularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it? -
pert Member Posts: 250The way it was described in the CCNA:W made it sounds soooo much easier than it actually was, at least for me. I just setup WPA2-Ent w/ EAP-TLS. I'm not a Linux guy, at all. Setting up Freeradius, the CA, generating the signed certs using openssl and converting them to use for windows machines took me quite a while. I'm sure I could do it now in under 2 hours, but holy hell was that painful to go through the first time. Every guide or walkthrough I read was missing critical information, everytime I had en error the error message was useless, got countless syntax errors with certain commands. I'm happy I've learned it and it was an interesting challenge, but I never would have done it originally if I knew the pain. I miss the days when I worked with other engineers regularly and could get assistance from the linux guru or windows guy.
-
powmia Users Awaiting Email Confirmation Posts: 322A more common deployment scenario in a large enterprise is to NOT use certs... because, as you found out.. it's a pain. If sites manage their own CA servers, it isn't bad and is more secure. If not, or if you just want reduced complexity:
EAP-TLS machine authentication is a quicker method to deploy. The reasoning for using this a an acceptable method of Network Admission Control, is that if your PC is a member of the domain, then it is allowed to be connected to the network. If a user isn't a legitimate domain user, they can't log onto the computer. Works well enough for most IA types. -
d4nz1g Member Posts: 464802.1x (specially with Cisco devices) are so easy to set up. The part that fcked me up was the cert issues.
I don't manage Windows over here (i'm on the network team) so the Cert infrastructure is so damn messy...so i told them to configure the clients to skip cert validation.
Here are my 2 cents about the framework. (Don't know if its 100% correct, but i believe its something like that.)