1

I'm doing some research here regarding possible implementations of 802.1x wired authentication with single sign on - domain username/password is used for 802.1x authentication.

Initially user is connected to the network through VLAN without DHCP or any access to any network resource. Basically only wired interface can get authenticated as EAPOL doesn't require any Layer 3 information to be exchanged. This is working fine - after 802.1x authentication nework interface is granted with full access, which is done by throwing it in another VLAN with DHCP and all the needed stuff.

But I have no idea what happens if a user tries to authenticate on the computer where no credentials are cached as user can't reach any domain resources unless the wired interface is authenticated.

So my question - when user enters domain credentials on initial login will 802.1x authentication be performed before logging into domain? Because if initially Windows will try to login with user and then perform 802.1x authentication it will definitely fail as without successful 802.1x computer has no access to domain/AD resources.

Thank you!

Vieplis
  • 43
  • 1
  • 7
  • Is the computer authenticating using 802.1x? – Greg Askew Feb 06 '13 at 15:38
  • Yes, network access is granted through 802.1x authentication of the wired LAN interface. – Vieplis Feb 06 '13 at 15:41
  • Well, if the computer is successfully authenticated via 802.1x, why would the computer "have no access to domain/AD resources."? – Greg Askew Feb 06 '13 at 15:44
  • I may have expressed blurry. Assuming new user joins the network and enters his domain credentials - will 802.1x happen and wired interface will be up or login will fail because computer can't reach domain controller as 802.1x hasn't happened yet and interface has no proper connectivity. – Vieplis Feb 07 '13 at 06:54
  • If the *computer* is configured for 802.1x authentication, and the *computer* is authenticating correctly, it should have domain connectivity by the time the logon dialog appears, or shortly after. – Greg Askew Feb 07 '13 at 12:17
  • So the what you mean is - there should be machine authentication configured in order to user log in successfully in this case? – Vieplis Feb 07 '13 at 12:40
  • Yes, if there is not a cached logon, there must be machine authentication for all logons, not just 802.1x. – Greg Askew Feb 07 '13 at 13:12

0 Answers0