802.1x authentication - user experience

Posted on 2010-11-13
Last Modified: 2012-05-10
I understand the basics of 802.1x (supplicants, authenticators, auth servers) operation and configuration, as well as AAA/RADIUS/etc. My questions here primarily involve the user experience when 802.1x has been deployed in a wired and wireless environment, since I have yet to see it in action.  

I boot up a Windows XP computer (configured for 802.1x PEAP, and connected to an 802.1x-secured switch port) and eventually get a Windows login screen. At this point, I shouldn't be able to logon to the Windows domain, since the port hasn't been opened up by 802.1x authentication yet.   My questions:

1) When exactly in the start-up sequence will the system authenticate to 802.1x, and ask me for 802.1x credentials?

2) Once the port has been opened via 802.1x, will I then have to enter those same AD credentials in the Windows logon screen, or is there a way to have the credentials I entered for 802.1x to be passed onto Windows and auto-authenticate  (so the user only has to type them in once)?

3) How does the authentication process look different in a wireless environment?  Let's say I've configured a secure WLAN that requires a pass-code to be configured on the workstation to get a connection.  After I'm "connected" to the SSID, does an 802.1x authentication box pop up again like it does in the wired world, asking for AD credentials?   Or, if you're using 802.1x authentication in a wireless environment to open the connection to the access point, would you not secure the WLAN at all?

Thanks in advance, and reference links/docs are always appreciated!

Question by:cfan73
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 40

Expert Comment

ID: 34131197
@3, the authentication is the same. The difference between wireless & wired is the use of radio + setting up transmission the connection. i.e making the connection between endpoints using SSID in bacon frames (or through specific queries for "hidden" SSID's)  in a wired world this is a cable.

For the other 2 questions, I have no experience, as I have no windows.
LVL 38

Expert Comment

by:Rich Rumble
ID: 34132038
802.1x works just like any authentication system, you give a username and password, and it's checked against an authenticator, like Radius. The supplicant can use certificates or smart-cards for this authentication, and then the user/pass as an authorization to logon. The certificates can reside on the pc or they can be on a portable drive and even token or smart-card. 802.1x authorizes the port (or in a wifi's case the mac-address of the host) to a certain vlan. The user/pass is still used for authentication of the user. Typically some other password, cert, token is used for the 802.1x portion, and the supplicants typically handle that on their own. This isn't always the case, the user/pass can be used exclusively but it provides no real added security benefit.
LVL 17

Expert Comment

ID: 34132189
1. After the computer negotiates a connection to the switchport or wireless SSID.

2.Yes, using computer authentication, you can create a radius rule to allow only computers that are members of the domain access to the network. You can do this by specifying the Domain Computer Group in AD. The computer will not be prompted for username and password, it will automatically provide it. When the computer boots up and begins negotiating with the switchport, the computer passes authentication and if the computer is a member of the domain, then you gain access, if not, then the connection fails with an error. Data transmissions across the network ARE NOT ENCRYPTED.

3.  Keep in mind that wireless is done a bit differently. You have encrypted authentication and encryption. To be able to access a "secure network" you need to be able to provide encrypted authentication first and then an encrypted data connection is created. You can't have one without the other if your using WPA/WPA2 as your authentication mechanism. The computer gets a request from the access point once it is connected for credentials, same as if you were using a wired connection, however once the authentication has been verified, the computer and access point then negotiate  the encryption standard that is specified, i.e., either WEP, TKIP, or AES. At this time data then becomes encrypted.

In either scenario above, if you use anything other than computer authentication, you will be prompted with a logon box for whatever you have configured, i.e., username/password, RSA ID, etc.

As stated above, you can use tokens, smart cards, username/password, etc. But as I said, just bear in mind that there is a difference between wired and wireless so there is a little more that needs configured on the wireless side. You can however take care of it using AD Group Policy.

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.


Author Comment

ID: 34133022
Thanks for the input, folks - all helpful.   A couple follow-up question for mikecr:

1) for 802.1x to negotiate a connection to the switchport or wireless SSID, the username/password will be required (prior to finding the Windows domain for an AD login).  Again, looking for specific user experience - will a pop-up box come up that they have to deal with first, THEN they still have to logon through the Windows splash screen?   (so, logging on twice, effectively?)

2) you're saying that the system can be configured to logon to AD automatically (to open the port up via 802.1x) based on the device being part of the AD domain.    If I want the 802.1x authentication to be user-based, and we require user/pass to open up the port, then can these credentials be passed onto
the Windows logon (thus, only one login being required - effectively "Single Sign-On"?)

Thanks again!

LVL 38

Expert Comment

by:Rich Rumble
ID: 34133578
You can do it with SSO, the users name and password can be the authentication that allows the port to be authorized... however that method doesn't keep "personal" equipment off the network in the wired or wifi networks unless a second check, like a mac-address, a certificate and or smart-card (the supplicant handles that part, not the users). The radius portion of 802.1x can be used to assign "unknown" mac-address's to alternate vlan's or networks... mac-address is easily spoofed for many wifi and almost all wired nic's. So one could spoof a iPad's Mac-address to be that of their work pc, and get access to the network like the company machine, but a certificate is typically harder for users to trackdown and is often tied to the hardware or name of the computer in some way that makes "reusing" the same cert on different machines fail. The certs are supposed to rotate and change in the background using the supplicant and Certificate Authority (PKI) setup on the domain.
Again think of 802.1x as machine or hardware authentication, and the rest is user authentication. Most wifi's have the ability to white-list mac-address's and this is one of the simplest forms of 802.1x... it's not as secure, but most consider it better than nothing.
LVL 17

Expert Comment

ID: 34138861
1. No, the Windows username/password box should be sufficient. I've done this before however, like I said, wireless is different than the LAN. For the wireless to work correctly for the user to log onto the network, the computer needs to be authenticated first so that it can make the wireless connection. There will be NO username/password. Then the windows logon will take affect. Now if the user logs into Windows and then wants to connect to the wireless network, you can configure the supplicant to prompt for username/password if you wish, however it will automatically send the Domain credentials.

2. As I stated above, the Domain credentials will be automatically passed unless you configure it otherwise so there shouldn't be a prompt for username/password other than the Windows logon box.

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 34139632
The PC's domain credentials that is... The machine (supplicant)authenticates the port to open up, and then the user can authenticate using AD.On the wifi side this is typically done using mac-address white lists, or again certs, or tokens/smartcards. Machine Only is very lax, and the bypass described in that link will work in that situation. Using user+machine (the switch will proxy the authentications in the background, so only 802.1x/Radius traffic will be allowed on the port until allowed or denied) should be used so that even if the described bypass is used, 802.1x should try to check for the token on the machine again, so access is only available for a short time.
LVL 17

Accepted Solution

mikecr earned 300 total points
ID: 34139802
By unchecking the box to use Domain Authentication when configuring wireless access for 802.1x on a Windows computer, you will be prompted for username/password credentials to connect to the network, ONLY if you set the wireless to open authentication. Then you can use EAP methods. It won't require computer authentication when set to open so all you will have is username/password no matter whether the computer is a member of the domain or not.

If you set the access point to open with network EAP, then the computer must authenticate in some fashion. It just depends on how it is to be set up.

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question