Solved

Network access protection 802.1x domain logon issue

Posted on 2013-12-06
14
833 Views
Last Modified: 2013-12-08
Hi

We have recently implemented NAP however we are experiencing problems if a user has not logged on before on the desktop or laptop they are unable to obtain IP from DHCP hence not being able to login.

How can we implement NAP so even if the domain or local user credentials are not cached they are able to pick an IP and login for the first time?
0
Comment
Question by:lhrslsshahi
  • 5
  • 5
  • 4
14 Comments
 
LVL 61

Expert Comment

by:btan
ID: 39702949
Wondering if the below may help

http://technet.microsoft.com/library/cc753603(v=ws.10).aspx

The Machine Identity attribute group contains the Machine Identity attribute. With this attribute, you can specify the method with which clients are identified in the policy

Allowing unauthenticated access
If you choose to override the authentication settings that are configured in all network policies and to enable the connection request policy authentication setting Allow clients to connect without negotiating an authentication method, it is recommended that you also configure the connection request policy with the Authenticate requests on this server setting

Accept users without validating credentials. With this setting, NPS does not verify the identity of the user attempting to connect to the network and NPS does not attempt to verify that the user or computer has the right to connect to the network. When NPS is configured to allow unauthenticated access and it receives a connection request, NPS immediately sends an Access-Accept message to the RADIUS client and the user or computer is granted network access. This setting is used for some types of compulsory tunneling where the access client is tunneled before the user's credentials are authenticated.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39702967
Which method of 802.1x are you using - Computer Auth or User Auth?
0
 
LVL 61

Expert Comment

by:btan
ID: 39702971
if you catch this there are policy that may help

"Non­com­pli­ant-Restricted"- Failing one or more SHV checks, NPS instructs the DHCP server to offer the client an IP lease with the special NAP "restricted" scope options

"policy for backwards compatibility"- Creates a rule that allows machines that are not NAP-aware to be granted normal access to the network (given default scope options by the DHCP server). This policy should be evaluated last and only needs to be created and enabled when such machines require network access

"policy using Exempt by MAC"- Uses a condition statement where the RADIUS client property of Calling Station ID matches the MAC address of those devices that require a NAP bypass. When machine matches this policy statement, NPS will instruct DHCP to offer a lease with "normal" scope options.

http://technet.microsoft.com/en-us/magazine/2007.05.securitywatch.aspx
http://technet.microsoft.com/en-us/magazine/2008.04.cableguy.aspx
0
 

Author Comment

by:lhrslsshahi
ID: 39702973
We are using user auth . According to which group vlan they are  assigned they get the ip via dhcp
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39702975
Ok, if you're using User Auth the non-cached clients might not be able to log in if the authentication request can't be processed because the PC can't talk to an AD DC.
0
 

Author Comment

by:lhrslsshahi
ID: 39702979
What options do we have?
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39703110
If you want new users (users who haven't got a cached logon on that PC) to be able to connect you need to use Computer authentication first, then User authentication.

So, you'd authenticate the PC against the RADIUS using a Computer Certificate, then the user would log in using their AD credentials.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:lhrslsshahi
ID: 39703710
Ok do you have any documentation or links that you can share this seems the right and most sensible approach? From experience is this the most preferred method to use computer auth with user auth?
0
 
LVL 61

Expert Comment

by:btan
ID: 39703876
As long as you are using 802.1x machine auth is needed using machine cert.  User auyh is based on eithet password or cert depending on config. As earlier mentioned in my post also in the bypass using MAC for network policy via RADIUS should be applicable
0
 
LVL 61

Expert Comment

by:btan
ID: 39703914
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39704180
Yep, as breadtan said, MAC auth can be used for PCs.  However it's a bit long-winded to add all the MAC addresses to AD for your machines.  If you use computer certificate you can automate the process using Autoenrolment via GPO and it's 100000 times more secure.
0
 

Author Comment

by:lhrslsshahi
ID: 39704315
Craig,

Looks like the computer authentication certificate seems to be the way to go.

Just to get a better understanding in layman's terms how does the computer authentication get past the non cached profile issue?

Currently only users who leave their self logged in the office PC are able to log in via RDP on VPN.

With computer authentication, will it get around this issue also so if they don't remain logged in they can still access the PC via RDP?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39704354
Users who haven't logged in can't authenticate to a DC because the PC has no network connectivity.

If you use computer authentication you allow the PC onto the network before a user has authentciated, so it has network connectivity which is required to allow a non-cached user to authenticate to a DC prior to login.
0
 

Author Comment

by:lhrslsshahi
ID: 39704398
Makes sense for me now.

Thanks for your time and help.
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now