802.1x configuration

Need the networking experts here!

setting up 802.1x this week, going onsite tomorrow for a quick recce. what are the prerequisites to look for? Servers to install NPS  on etc.

thanks in advance
LVL 2
Technical InformationAsked:
Who is Participating?
 
nociSoftware EngineerCommented:
802.1x   is based on x509 certificates , NOT the one you buy, ones you generate yourself.
The Radius server allows all connections which are signed by a certain certificate. (The root, sef made for the organisation).
Any switch asks the radius server if a client with a certain client certificate is acceptable  if so the radius server returns all port settings required for that system... like VLAN, port speeds if applicable, priorityies etc. etc.

On each client a 802.1x-supplicant provides this info (certificate) ....
Disconnecting a client is revoking a certificate.   It might be wise to heave an intermediate certificate allowing to Bulk revoke ALL certificates without having to generate & configure a whole new root.
0
 
nociSoftware EngineerCommented:
802.1x leans on RADIUS. So the NPS needs to support radius. Switches need to support 802.1x (not all do...)
Those are the lowest requirements.  Then some kind of certificate management is needed.. (should be with NPS i guess).
0
 
Technical InformationAuthor Commented:
thanks for the quick reply.

Installing NPS on both domain controllers seems to be best practise. Do the settings replicate across?

Also with Certificate management, can you explain a little more?
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
Technical InformationAuthor Commented:
OK thanks,

running the command certutil -config - -ping returns a root CA. Can i use that?
0
 
nociSoftware EngineerCommented:
There are a lot of details to check out. So first find what equipment there is, what systems need to be supported, if there are supplicants for the endsystems. Find configuration manuals on how to configure all items (depending on manufaturer etc.)
W.r.t. certificate, sign a subroot from the root CA used in a domain., and use that subdomain for access. Then if you need to revoke all 802.1x certificates you don;t need to reconfigre everything, only the 802.1x items.   (think laptops that can be stolen, that laptop should not be able to reconnect...).  And sometimes there is no CRL / OCSP checking in radius servers..
0
 
Technical InformationAuthor Commented:
What server should I install AD CS on? Is it ok to go on a DC?
0
 
nociSoftware EngineerCommented:
Sorry not enough knowlegde on it. Certificate tooling should be an add-on... i think it also requires IIS to be installed.
0
 
Technical InformationAuthor Commented:
OK thanks, what membership would the CA user require access to? Does it need to be a domain admin?
0
 
nociSoftware EngineerCommented:
I run Linux & OpenVMS systems (and do some windows on the side once in a blue moon, mostly enduser stuff).
0
 
Benjamin Van DitmarsCommented:
what version os windows server are you running  ?

configuring 802.1x is nog a big job. youre design and knowledge of all attached devices is the pain in the ass.

do all devices do 802.1x, are you ussing phone with a build in switch, that is connected to the pc  ?

you have to modify all clients before you setup authentication, if you dont do this, noboby can connect.

this is be big question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.