Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


802.1x authentication - user experience

Posted on 2010-11-13
Medium Priority
Last Modified: 2012-05-10
I understand the basics of 802.1x (supplicants, authenticators, auth servers) operation and configuration, as well as AAA/RADIUS/etc. My questions here primarily involve the user experience when 802.1x has been deployed in a wired and wireless environment, since I have yet to see it in action.  

I boot up a Windows XP computer (configured for 802.1x PEAP, and connected to an 802.1x-secured switch port) and eventually get a Windows login screen. At this point, I shouldn't be able to logon to the Windows domain, since the port hasn't been opened up by 802.1x authentication yet.   My questions:

1) When exactly in the start-up sequence will the system authenticate to 802.1x, and ask me for 802.1x credentials?

2) Once the port has been opened via 802.1x, will I then have to enter those same AD credentials in the Windows logon screen, or is there a way to have the credentials I entered for 802.1x to be passed onto Windows and auto-authenticate  (so the user only has to type them in once)?

3) How does the authentication process look different in a wireless environment?  Let's say I've configured a secure WLAN that requires a pass-code to be configured on the workstation to get a connection.  After I'm "connected" to the SSID, does an 802.1x authentication box pop up again like it does in the wired world, asking for AD credentials?   Or, if you're using 802.1x authentication in a wireless environment to open the connection to the access point, would you not secure the WLAN at all?

Thanks in advance, and reference links/docs are always appreciated!

Question by:cfan73
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 40

Expert Comment

ID: 34131197
@3, the authentication is the same. The difference between wireless & wired is the use of radio + setting up transmission the connection. i.e making the connection between endpoints using SSID in bacon frames (or through specific queries for "hidden" SSID's)  in a wired world this is a cable.

For the other 2 questions, I have no experience, as I have no windows.
LVL 38

Expert Comment

by:Rich Rumble
ID: 34132038
802.1x works just like any authentication system, you give a username and password, and it's checked against an authenticator, like Radius. The supplicant can use certificates or smart-cards for this authentication, and then the user/pass as an authorization to logon. The certificates can reside on the pc or they can be on a portable drive and even token or smart-card. 802.1x authorizes the port (or in a wifi's case the mac-address of the host) to a certain vlan. The user/pass is still used for authentication of the user. Typically some other password, cert, token is used for the 802.1x portion, and the supplicants typically handle that on their own. This isn't always the case, the user/pass can be used exclusively but it provides no real added security benefit.
LVL 17

Expert Comment

ID: 34132189
1. After the computer negotiates a connection to the switchport or wireless SSID.

2.Yes, using computer authentication, you can create a radius rule to allow only computers that are members of the domain access to the network. You can do this by specifying the Domain Computer Group in AD. The computer will not be prompted for username and password, it will automatically provide it. When the computer boots up and begins negotiating with the switchport, the computer passes authentication and if the computer is a member of the domain, then you gain access, if not, then the connection fails with an error. Data transmissions across the network ARE NOT ENCRYPTED.

3.  Keep in mind that wireless is done a bit differently. You have encrypted authentication and encryption. To be able to access a "secure network" you need to be able to provide encrypted authentication first and then an encrypted data connection is created. You can't have one without the other if your using WPA/WPA2 as your authentication mechanism. The computer gets a request from the access point once it is connected for credentials, same as if you were using a wired connection, however once the authentication has been verified, the computer and access point then negotiate  the encryption standard that is specified, i.e., either WEP, TKIP, or AES. At this time data then becomes encrypted.

In either scenario above, if you use anything other than computer authentication, you will be prompted with a logon box for whatever you have configured, i.e., username/password, RSA ID, etc.

As stated above, you can use tokens, smart cards, username/password, etc. But as I said, just bear in mind that there is a difference between wired and wireless so there is a little more that needs configured on the wireless side. You can however take care of it using AD Group Policy.

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Author Comment

ID: 34133022
Thanks for the input, folks - all helpful.   A couple follow-up question for mikecr:

1) for 802.1x to negotiate a connection to the switchport or wireless SSID, the username/password will be required (prior to finding the Windows domain for an AD login).  Again, looking for specific user experience - will a pop-up box come up that they have to deal with first, THEN they still have to logon through the Windows splash screen?   (so, logging on twice, effectively?)

2) you're saying that the system can be configured to logon to AD automatically (to open the port up via 802.1x) based on the device being part of the AD domain.    If I want the 802.1x authentication to be user-based, and we require user/pass to open up the port, then can these credentials be passed onto
the Windows logon (thus, only one login being required - effectively "Single Sign-On"?)

Thanks again!

LVL 38

Expert Comment

by:Rich Rumble
ID: 34133578
You can do it with SSO, the users name and password can be the authentication that allows the port to be authorized... however that method doesn't keep "personal" equipment off the network in the wired or wifi networks unless a second check, like a mac-address, a certificate and or smart-card (the supplicant handles that part, not the users). The radius portion of 802.1x can be used to assign "unknown" mac-address's to alternate vlan's or networks... mac-address is easily spoofed for many wifi and almost all wired nic's. So one could spoof a iPad's Mac-address to be that of their work pc, and get access to the network like the company machine, but a certificate is typically harder for users to trackdown and is often tied to the hardware or name of the computer in some way that makes "reusing" the same cert on different machines fail. The certs are supposed to rotate and change in the background using the supplicant and Certificate Authority (PKI) setup on the domain.
Again think of 802.1x as machine or hardware authentication, and the rest is user authentication. Most wifi's have the ability to white-list mac-address's and this is one of the simplest forms of 802.1x... it's not as secure, but most consider it better than nothing.
LVL 17

Expert Comment

ID: 34138861
1. No, the Windows username/password box should be sufficient. I've done this before however, like I said, wireless is different than the LAN. For the wireless to work correctly for the user to log onto the network, the computer needs to be authenticated first so that it can make the wireless connection. There will be NO username/password. Then the windows logon will take affect. Now if the user logs into Windows and then wants to connect to the wireless network, you can configure the supplicant to prompt for username/password if you wish, however it will automatically send the Domain credentials.

2. As I stated above, the Domain credentials will be automatically passed unless you configure it otherwise so there shouldn't be a prompt for username/password other than the Windows logon box.

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 800 total points
ID: 34139632
The PC's domain credentials that is... The machine (supplicant)authenticates the port to open up, and then the user can authenticate using AD.On the wifi side this is typically done using mac-address white lists, or again certs, or tokens/smartcards. Machine Only is very lax, and the bypass described in that link will work in that situation. Using user+machine (the switch will proxy the authentications in the background, so only 802.1x/Radius traffic will be allowed on the port until allowed or denied) should be used so that even if the described bypass is used, 802.1x should try to check for the token on the machine again, so access is only available for a short time.
LVL 17

Accepted Solution

mikecr earned 1200 total points
ID: 34139802
By unchecking the box to use Domain Authentication when configuring wireless access for 802.1x on a Windows computer, you will be prompted for username/password credentials to connect to the network, ONLY if you set the wireless to open authentication. Then you can use EAP methods. It won't require computer authentication when set to open so all you will have is username/password no matter whether the computer is a member of the domain or not.

If you set the access point to open with network EAP, then the computer must authenticate in some fashion. It just depends on how it is to be set up.

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question