802.1x authentication - user experience

I understand the basics of 802.1x (supplicants, authenticators, auth servers) operation and configuration, as well as AAA/RADIUS/etc. My questions here primarily involve the user experience when 802.1x has been deployed in a wired and wireless environment, since I have yet to see it in action.  

I boot up a Windows XP computer (configured for 802.1x PEAP, and connected to an 802.1x-secured switch port) and eventually get a Windows login screen. At this point, I shouldn't be able to logon to the Windows domain, since the port hasn't been opened up by 802.1x authentication yet.   My questions:

1) When exactly in the start-up sequence will the system authenticate to 802.1x, and ask me for 802.1x credentials?

2) Once the port has been opened via 802.1x, will I then have to enter those same AD credentials in the Windows logon screen, or is there a way to have the credentials I entered for 802.1x to be passed onto Windows and auto-authenticate  (so the user only has to type them in once)?

3) How does the authentication process look different in a wireless environment?  Let's say I've configured a secure WLAN that requires a pass-code to be configured on the workstation to get a connection.  After I'm "connected" to the SSID, does an 802.1x authentication box pop up again like it does in the wired world, asking for AD credentials?   Or, if you're using 802.1x authentication in a wireless environment to open the connection to the access point, would you not secure the WLAN at all?

Thanks in advance, and reference links/docs are always appreciated!

Who is Participating?
mikecrConnect With a Mentor Commented:
By unchecking the box to use Domain Authentication when configuring wireless access for 802.1x on a Windows computer, you will be prompted for username/password credentials to connect to the network, ONLY if you set the wireless to open authentication. Then you can use EAP methods. It won't require computer authentication when set to open so all you will have is username/password no matter whether the computer is a member of the domain or not.

If you set the access point to open with network EAP, then the computer must authenticate in some fashion. It just depends on how it is to be set up.
nociSoftware EngineerCommented:
@3, the authentication is the same. The difference between wireless & wired is the use of radio + setting up transmission the connection. i.e making the connection between endpoints using SSID in bacon frames (or through specific queries for "hidden" SSID's)  in a wired world this is a cable.

For the other 2 questions, I have no experience, as I have no windows.
Rich RumbleSecurity SamuraiCommented:
802.1x works just like any authentication system, you give a username and password, and it's checked against an authenticator, like Radius. The supplicant can use certificates or smart-cards for this authentication, and then the user/pass as an authorization to logon. The certificates can reside on the pc or they can be on a portable drive and even token or smart-card. 802.1x authorizes the port (or in a wifi's case the mac-address of the host) to a certain vlan. The user/pass is still used for authentication of the user. Typically some other password, cert, token is used for the 802.1x portion, and the supplicants typically handle that on their own. This isn't always the case, the user/pass can be used exclusively but it provides no real added security benefit.
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

1. After the computer negotiates a connection to the switchport or wireless SSID.

2.Yes, using computer authentication, you can create a radius rule to allow only computers that are members of the domain access to the network. You can do this by specifying the Domain Computer Group in AD. The computer will not be prompted for username and password, it will automatically provide it. When the computer boots up and begins negotiating with the switchport, the computer passes authentication and if the computer is a member of the domain, then you gain access, if not, then the connection fails with an error. Data transmissions across the network ARE NOT ENCRYPTED.

3.  Keep in mind that wireless is done a bit differently. You have encrypted authentication and encryption. To be able to access a "secure network" you need to be able to provide encrypted authentication first and then an encrypted data connection is created. You can't have one without the other if your using WPA/WPA2 as your authentication mechanism. The computer gets a request from the access point once it is connected for credentials, same as if you were using a wired connection, however once the authentication has been verified, the computer and access point then negotiate  the encryption standard that is specified, i.e., either WEP, TKIP, or AES. At this time data then becomes encrypted.

In either scenario above, if you use anything other than computer authentication, you will be prompted with a logon box for whatever you have configured, i.e., username/password, RSA ID, etc.

As stated above, you can use tokens, smart cards, username/password, etc. But as I said, just bear in mind that there is a difference between wired and wireless so there is a little more that needs configured on the wireless side. You can however take care of it using AD Group Policy.

cfan73Author Commented:
Thanks for the input, folks - all helpful.   A couple follow-up question for mikecr:

1) for 802.1x to negotiate a connection to the switchport or wireless SSID, the username/password will be required (prior to finding the Windows domain for an AD login).  Again, looking for specific user experience - will a pop-up box come up that they have to deal with first, THEN they still have to logon through the Windows splash screen?   (so, logging on twice, effectively?)

2) you're saying that the system can be configured to logon to AD automatically (to open the port up via 802.1x) based on the device being part of the AD domain.    If I want the 802.1x authentication to be user-based, and we require user/pass to open up the port, then can these credentials be passed onto
the Windows logon (thus, only one login being required - effectively "Single Sign-On"?)

Thanks again!

Rich RumbleSecurity SamuraiCommented:
You can do it with SSO, the users name and password can be the authentication that allows the port to be authorized... however that method doesn't keep "personal" equipment off the network in the wired or wifi networks unless a second check, like a mac-address, a certificate and or smart-card (the supplicant handles that part, not the users). The radius portion of 802.1x can be used to assign "unknown" mac-address's to alternate vlan's or networks... mac-address is easily spoofed for many wifi and almost all wired nic's. So one could spoof a iPad's Mac-address to be that of their work pc, and get access to the network like the company machine, but a certificate is typically harder for users to trackdown and is often tied to the hardware or name of the computer in some way that makes "reusing" the same cert on different machines fail. The certs are supposed to rotate and change in the background using the supplicant and Certificate Authority (PKI) setup on the domain.
Again think of 802.1x as machine or hardware authentication, and the rest is user authentication. Most wifi's have the ability to white-list mac-address's and this is one of the simplest forms of 802.1x... it's not as secure, but most consider it better than nothing.
1. No, the Windows username/password box should be sufficient. I've done this before however, like I said, wireless is different than the LAN. For the wireless to work correctly for the user to log onto the network, the computer needs to be authenticated first so that it can make the wireless connection. There will be NO username/password. Then the windows logon will take affect. Now if the user logs into Windows and then wants to connect to the wireless network, you can configure the supplicant to prompt for username/password if you wish, however it will automatically send the Domain credentials.

2. As I stated above, the Domain credentials will be automatically passed unless you configure it otherwise so there shouldn't be a prompt for username/password other than the Windows logon box.

Rich RumbleConnect With a Mentor Security SamuraiCommented:
The PC's domain credentials that is... The machine (supplicant)authenticates the port to open up, and then the user can authenticate using AD.On the wifi side this is typically done using mac-address white lists, or again certs, or tokens/smartcards.
http://technet.microsoft.com/en-us/library/cc512611.aspx Machine Only is very lax, and the bypass described in that link will work in that situation. Using user+machine (the switch will proxy the authentications in the background, so only 802.1x/Radius traffic will be allowed on the port until allowed or denied) should be used so that even if the described bypass is used, 802.1x should try to check for the token on the machine again, so access is only available for a short time.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.