Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Network access protection 802.1x domain logon issue

Posted on 2013-12-06
14
859 Views
Last Modified: 2013-12-08
Hi

We have recently implemented NAP however we are experiencing problems if a user has not logged on before on the desktop or laptop they are unable to obtain IP from DHCP hence not being able to login.

How can we implement NAP so even if the domain or local user credentials are not cached they are able to pick an IP and login for the first time?
0
Comment
Question by:lhrslsshahi
  • 5
  • 5
  • 4
14 Comments
 
LVL 63

Expert Comment

by:btan
ID: 39702949
Wondering if the below may help

http://technet.microsoft.com/library/cc753603(v=ws.10).aspx

The Machine Identity attribute group contains the Machine Identity attribute. With this attribute, you can specify the method with which clients are identified in the policy

Allowing unauthenticated access
If you choose to override the authentication settings that are configured in all network policies and to enable the connection request policy authentication setting Allow clients to connect without negotiating an authentication method, it is recommended that you also configure the connection request policy with the Authenticate requests on this server setting

Accept users without validating credentials. With this setting, NPS does not verify the identity of the user attempting to connect to the network and NPS does not attempt to verify that the user or computer has the right to connect to the network. When NPS is configured to allow unauthenticated access and it receives a connection request, NPS immediately sends an Access-Accept message to the RADIUS client and the user or computer is granted network access. This setting is used for some types of compulsory tunneling where the access client is tunneled before the user's credentials are authenticated.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39702967
Which method of 802.1x are you using - Computer Auth or User Auth?
0
 
LVL 63

Expert Comment

by:btan
ID: 39702971
if you catch this there are policy that may help

"Non­com­pli­ant-Restricted"- Failing one or more SHV checks, NPS instructs the DHCP server to offer the client an IP lease with the special NAP "restricted" scope options

"policy for backwards compatibility"- Creates a rule that allows machines that are not NAP-aware to be granted normal access to the network (given default scope options by the DHCP server). This policy should be evaluated last and only needs to be created and enabled when such machines require network access

"policy using Exempt by MAC"- Uses a condition statement where the RADIUS client property of Calling Station ID matches the MAC address of those devices that require a NAP bypass. When machine matches this policy statement, NPS will instruct DHCP to offer a lease with "normal" scope options.

http://technet.microsoft.com/en-us/magazine/2007.05.securitywatch.aspx
http://technet.microsoft.com/en-us/magazine/2008.04.cableguy.aspx
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:lhrslsshahi
ID: 39702973
We are using user auth . According to which group vlan they are  assigned they get the ip via dhcp
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39702975
Ok, if you're using User Auth the non-cached clients might not be able to log in if the authentication request can't be processed because the PC can't talk to an AD DC.
0
 

Author Comment

by:lhrslsshahi
ID: 39702979
What options do we have?
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39703110
If you want new users (users who haven't got a cached logon on that PC) to be able to connect you need to use Computer authentication first, then User authentication.

So, you'd authenticate the PC against the RADIUS using a Computer Certificate, then the user would log in using their AD credentials.
0
 

Author Comment

by:lhrslsshahi
ID: 39703710
Ok do you have any documentation or links that you can share this seems the right and most sensible approach? From experience is this the most preferred method to use computer auth with user auth?
0
 
LVL 63

Expert Comment

by:btan
ID: 39703876
As long as you are using 802.1x machine auth is needed using machine cert.  User auyh is based on eithet password or cert depending on config. As earlier mentioned in my post also in the bypass using MAC for network policy via RADIUS should be applicable
0
 
LVL 63

Expert Comment

by:btan
ID: 39703914
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39704180
Yep, as breadtan said, MAC auth can be used for PCs.  However it's a bit long-winded to add all the MAC addresses to AD for your machines.  If you use computer certificate you can automate the process using Autoenrolment via GPO and it's 100000 times more secure.
0
 

Author Comment

by:lhrslsshahi
ID: 39704315
Craig,

Looks like the computer authentication certificate seems to be the way to go.

Just to get a better understanding in layman's terms how does the computer authentication get past the non cached profile issue?

Currently only users who leave their self logged in the office PC are able to log in via RDP on VPN.

With computer authentication, will it get around this issue also so if they don't remain logged in they can still access the PC via RDP?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39704354
Users who haven't logged in can't authenticate to a DC because the PC has no network connectivity.

If you use computer authentication you allow the PC onto the network before a user has authentciated, so it has network connectivity which is required to allow a non-cached user to authenticate to a DC prior to login.
0
 

Author Comment

by:lhrslsshahi
ID: 39704398
Makes sense for me now.

Thanks for your time and help.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question