802.1x configuration

Need the networking experts here!

setting up 802.1x this week, going onsite tomorrow for a quick recce. what are the prerequisites to look for? Servers to install NPS  on etc.

thanks in advance
LVL 2
Technical InformationAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
802.1x leans on RADIUS. So the NPS needs to support radius. Switches need to support 802.1x (not all do...)
Those are the lowest requirements.  Then some kind of certificate management is needed.. (should be with NPS i guess).
0
Technical InformationAuthor Commented:
thanks for the quick reply.

Installing NPS on both domain controllers seems to be best practise. Do the settings replicate across?

Also with Certificate management, can you explain a little more?
0
nociSoftware EngineerCommented:
802.1x   is based on x509 certificates , NOT the one you buy, ones you generate yourself.
The Radius server allows all connections which are signed by a certain certificate. (The root, sef made for the organisation).
Any switch asks the radius server if a client with a certain client certificate is acceptable  if so the radius server returns all port settings required for that system... like VLAN, port speeds if applicable, priorityies etc. etc.

On each client a 802.1x-supplicant provides this info (certificate) ....
Disconnecting a client is revoking a certificate.   It might be wise to heave an intermediate certificate allowing to Bulk revoke ALL certificates without having to generate & configure a whole new root.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Technical InformationAuthor Commented:
OK thanks,

running the command certutil -config - -ping returns a root CA. Can i use that?
0
nociSoftware EngineerCommented:
There are a lot of details to check out. So first find what equipment there is, what systems need to be supported, if there are supplicants for the endsystems. Find configuration manuals on how to configure all items (depending on manufaturer etc.)
W.r.t. certificate, sign a subroot from the root CA used in a domain., and use that subdomain for access. Then if you need to revoke all 802.1x certificates you don;t need to reconfigre everything, only the 802.1x items.   (think laptops that can be stolen, that laptop should not be able to reconnect...).  And sometimes there is no CRL / OCSP checking in radius servers..
0
Technical InformationAuthor Commented:
What server should I install AD CS on? Is it ok to go on a DC?
0
nociSoftware EngineerCommented:
Sorry not enough knowlegde on it. Certificate tooling should be an add-on... i think it also requires IIS to be installed.
0
Technical InformationAuthor Commented:
OK thanks, what membership would the CA user require access to? Does it need to be a domain admin?
0
nociSoftware EngineerCommented:
I run Linux & OpenVMS systems (and do some windows on the side once in a blue moon, mostly enduser stuff).
0
Benjamin Van DitmarsSr Network EngineerCommented:
what version os windows server are you running  ?

configuring 802.1x is nog a big job. youre design and knowledge of all attached devices is the pain in the ass.

do all devices do 802.1x, are you ussing phone with a build in switch, that is connected to the pc  ?

you have to modify all clients before you setup authentication, if you dont do this, noboby can connect.

this is be big question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.