802.1 x certificate
Labminutes# sec0045 – cisco ise 1.1 wired 802.1x and
I’m not sure where certificates are used instead of the PC authenticating using PEAP/EAP (I believe that’s the protocol I’m thinking of) and passing the RADIUS server its domain computer account credentials.
To make 802.1x work, you’ll need to turn on the Windows Certificate Authority and Network Policy Server.
In essence, you’ll enroll your devices to obtain a certificate from the CA, and the network electronics will validate the certificate with the CA in order to perform 802.1x.
I’m not sure how the switch would be able to trust the device in that case.
The point, I believe, is that if a machine is joined to a domain (or a specific group, or whatever you want NPS to allow), it is also authenticated to use the LAN.
If I yank your Ethernet cable and plug it into my gear, it needs something to distinguish your company PC from my rogue laptop.
On this initial association, the RADIUS server issues a certificate to the wireless client, allowing it to authenticate with the RADIUS server. The server does not need to be reauthenticated the next time the client computer connects to an access point that is a client of this server.
Labminutes# sec0092 – cisco acs 5.4 wired 802.1x peap
The supplicant, also known as the client, is the device that is trying to connect to the network. The Aruba user-centric network can be configured to support 802.1x authentication for both wired and wireless users.
The Aruba controller serves as an authenticator, relaying data from the authentication server to the supplicant. The authentication server and supplicant must use the same EAP type, and the controller must be able to see it.
The 802.1X authentication server is usually an EAP-compliant Remote Access Dial-In User Service (RADIUS) server that can authenticate either users or client computers (via passwords or certificates).
You can disable 802.1x authentication on the controller in Aruba user-centric networks. The controller sends user authentication to an internal database or a non-802.1X “backend” server. This feature, also known as AAA FastConnect, is helpful in situations where an 802.1X EAP-compliant RADIUS server is not available or needed for authentication.
Windows 2012 domain controller 802.1x authentication
802.1X is a difficult subject to grasp, and, like the rest of networking, it can be difficult to know where to begin learning about it. Fortunately, we’ve had the privilege of working with 802.1X since its inception, and we did our best to explain everything we know about it. We’ll go over how 802.1X works, its components, what it’s used for, vulnerabilities, how to set it up, and a whole lot more in the sections below.
An authentication mechanism is required for devices attempting to connect to a LAN or WLAN. Protected authentication for secure network access is provided by IEEE 802.1X, an IEEE Standard for Port-Based Network Access Control (PNAC).
An 802.1X network differs from home networks in one important way: it includes a RADIUS server for authentication. It checks a user’s credentials to see if they are an active member of the group, and then grants them different levels of network access based on the network policies. This allows each user to have their own set of credentials or certificates, rather than relying on a single network password that can be easily stolen.
Configuration tip: axis device manager – deploy 802.1x
Users or computers in a domain may be authenticated using WPA2-Enterprise with 802.1X authentication. Using an EAP technique configured on the RADIUS server, the supplicant (wireless client) authenticates against the RADIUS server (authentication server). The authentication messages between the supplicant and the authentication server are sent by the gateway AP (authenticator). This means that the RADIUS server is in charge of user authentication.
EAPOL exchanges between supplicants are converted by APs into RADIUS Access-request messages, which are sent to the RADIUS server’s IP address and UDP port specified in Dashboard. To give the supplicant access to the network, gateway APs must receive a RADIUS Access-accept message from the RADIUS server.
To prevent firewall, routing, or authentication delays, it is recommended that the RADIUS server and gateway APs be located within the same layer-2 broadcast domain. Keep in mind that the AP is not responsible for wireless client authentication and only serves as a conduit between clients and the RADIUS server.