Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, June 15, 2016 11:12 AM
We have implemented a basic 802.1x wired EAP-TLS configuration. Now, only domain workstations with a valid certificate gets access to our internal network; this is working perfect.
However, we want to extend this configuration with dynamic VLAN assignment based on an active directory group an user is member of. Is this possible? As far as I understand the 802.1x authentication is finished before the user logs on so the concerning user authentication is handled by the domain controller instead of the NPS server. If possible anyway, can someone point me in the right direction how to set this up? I can't find much on this specific scenario.
Our environment uses Windows 7 clients, Windows 2012 R2 servers and Cisco network devices.
All replies (19)
Tuesday, July 12, 2016 9:24 AM âś…Answered
Hi Anne,
I have finished up this case with Microsoft, conclusion: with NPS it is not possible to do an automatic re-authentication based on the user if the computer is already authenticated. For the re-authentication the NIC needs to be brought down and up again and that is only possible if you make a task scheduled item for this or to script this at user logon.
Kind regards,
Michiel
Thursday, June 16, 2016 2:10 AM
Hi MD_1977,
According to your description, you want to assign users in different groups into specific VLANs with NPS server. Then standard RADIUS attribute "Tunnel-Medium-Type", "Tunnel-Pvt-Group-ID", "Tunnel-Type" need to be used.
I found a third-party article that provides an example, you may read it for detailed configuration thoughts:
http://wifinigel.blogspot.sg/2014/03/microsoft-nps-as-radius-server-for-wifi_18.html
(Since this is a third-party article, it may change its content without notification, we can not guarantee its security.)
Configure a Network Policy for VLANs
https://technet.microsoft.com/en-us/library/cc772124%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
Best Regards,
Anne
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Thursday, June 16, 2016 7:23 AM
Thanks for your reply.
I understand the part of the VLAN assignment. We also have this part working based on computer group membership.
However, what we want is that when a user logs on, he gets a VLAN assigned based on his group membership. So NPS has multiple rules, one for computer access and a second one for user access. Is this scenario possible?
I already tried several Windows 7 NIC authentication settings but when I turn on the advanced "User or Computer authentication" option, the clients only works when there are two certificates (one computer and one user). But the user certificate isn't available yet because the auto enrollment starts after authentication succeeded.
Friday, June 17, 2016 7:26 AM
Hi MD_1977,
I'm still under research of your requirements, I'll feed back as soon as I get any result, thanks for your patient.
Best Regards,
Anne
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Tuesday, June 21, 2016 7:45 AM
Hi MD_1977,
Sorry for the late reply.
>So NPS has multiple rules, one for computer access and a second one for user access. Is this scenario possible?
Yes, it is possible. In NPS policy's condition, we can add both windows group and User group.
> I already tried several Windows 7 NIC authentication settings but when I turn on the advanced "User or Computer authentication" option, the clients only works when there are two certificates (one computer and one user).
It's the normal behavior when we select "User or Computer authentication mode".
If we select "Computer-authentication" mode, then windows only support 802.1X authentication with computer credentials before user logon;
If we select "User authentication" mode, then windows only support 802.1X authentication with user credentials after user logon;
If we select "Computer or user" mode, then windows can perform both computer credentials and user credentials authentication. This mode usually used for roaming clients, when they start up, windows perform computer credentials before logon, if they roams to other APs, they can use user credentials to credentials. So, in order to support both authentication methods, it needs both user certificate and computer certificate.
Best Regards,
Anne
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Tuesday, June 21, 2016 8:13 AM
Well, actually our clients are not roaming but our users are. So one day user X is sitting on PC1, next day user X is sitting on PC2. What we are trying to accomplish is that whatever a PC an user is using, the user is always working in the same VLAN, so he has always access to the same network resources.
This should be possible using both user and computer authentication, but the problem in the EAP-TLS scenario is, that the user certificate isn't available locally yet. I mean, the user certificate autoenrollment works only after the user has authenticated, right? So if we want such a scenario our only option is to use smartcards, or do I miss something?
Tuesday, June 21, 2016 8:45 AM
Hi MD_1977,
>but the problem in the EAP-TLS scenario is, that the user certificate isn't available locally yet. I mean, the user certificate autoenrollment works only after the user has authenticated, right?
Check if you have enabled autoenrollment for user certificate, let's try this:
Configure User Certificate Autoenrollment
https://technet.microsoft.com/en-us/library/cc771882(v=ws.10).aspx
Best Regards,
Anne
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Tuesday, June 21, 2016 10:09 AM
Hello Anne,
I am working with MD on this case and would like to clarify our wish.
Users roam throughout the building and are logging on to wired computers. We would like to do a second vlan assignment based on user credentials.
So when the computer starts it will be put in a specific vlan (based on it's certificate) to load its computer policies (let's say VLAN 20), then it sits idle waiting for the user to log on and when the user logs on using his or her username and password (not a certificate, just username and password) the computer will be put in a vlan based on the users AD group memberships (for example, if a user is a member of AD security group VLAN_35 the computer will be put in vlan 35).
Is this scenario possible? Or is the only possibility to user computer AND user certificates. If that is the case when is the user certificate loaded, is that during the first logon? If a user never logged on to a computer before and logs on for the first time will the certificate be loaded immediatly so it can be used or does the user first have to logon, then the certificate is placed and can be used from the second logon on.
Kind regards,
Michiel
Thursday, June 23, 2016 8:28 AM
Hi Michiel van Heerde,
>So when the computer starts it will be put in a specific vlan (based on it's certificate) to load its computer policies (let's say VLAN 20), then it sits idle waiting for the user to log on and when the user logs on using his or her username and password (not a certificate, just username and password) the computer will be put in a vlan based on the users AD group memberships (for example, if a user is a member of AD security group VLAN_35 the computer will be put in vlan 35).
Is this scenario possible?
Check if my understanding is correct, when computer starts up, it use computer certificate to connect to wifi and assign to VLAN 20, when users logon this computer, it can switch to use user certificate to connect again and assign to VLAN 35.
If my understanding is correct, then I don't think it can be deployed, computer certificate authentication and user certificate authentication can not be used at the same time.
Best Regards,
Anne
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Thursday, June 23, 2016 9:02 AM
Hi Anne,
No, all computers are connected to a wired network.
We want to use the computer certificate to place the computer in a specific vlan at startup so it can load it's policies (for example vlan20). Then when the user logs on by using his username and password (not a user certificate) then we want to place the computer in another vlan based on the users Active Directory group memberships (for example user is member of AD group vlan35_members and based on that the computer is placed in vlan35.
Kind regards,
Michiel
Friday, June 24, 2016 2:41 AM
Hi Michiel van Heerde,
As far as I know, if you select authentication mode with "User or Computer authentication", when users log on computer, it will re-authenticate and assign it into VLAN 35, does it work?
Best Regards,
Anne
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Friday, June 24, 2016 8:51 AM
Hi Anne,
When I choose user or computer authentication I would assume authentication takes place based on user OR computer authentication but if I understand you correct authentication takes place based on computer AND user authentication?
Because the user does not have a certificate or smartcard I have to change the authentication method on the client to Microsoft Protected EAP and by doing so I loose the ability to do computer authentication based on the computer certificate, is that correct?
When I add Microsoft Protected EAP with Secured password (EAP-MSCHAP v2) to the Connection Request Policy of the switch and to the Network Policies of both the computers and the users and I restart the client I can see in the eventviewer that the computer is authenticated based on it's credentials:
Authentication Type: PEAP
EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)
Result: Full Access
But there is no entry when I logon the user so to my understanding the user authentication is not done through the NPS server.
When I look at the network center on the client I first see that the authentication has failed on the NIC but by pressing F5 it seems to re-authenticate and the connection is verified but, again, nothing is written to the eventviewer of the NPS server.
Now when I disable and enable the NIC it shows a verification failure, when I look at the eventviewer of the NPS server I see the computer is being authenticated again AND it shows an entry for the user telling me that the user does not exist:
Reason Code: 8
Reason: The specified user account does not exist.
Can you tell me if I am missing something here?
Kind regards,
Michiel
Tuesday, June 28, 2016 10:53 AM
Hi Anne,
I have done more testing and abandoned the computer certificate authentication wish for this test.
What I have done is set the authentication method to PEAP - MSCHAP v2 for both computer and user and when the computer is started I see log entries on the NPS server stating that the computer is placed in the correct vlan based on a computer policy, when the user logs on there is no entry in the logs on the NPS server. When I go to the network center on the client and disable and enable the NIC I do see log entries for the user on the NPS server stating that it is placed in the correct vlan based on an NPS user policy.
[edit]When the user logs off there is a re-authentication, workstation is placed back in the vlan that is stated in the computer policy[/edit]
So it seems that there is no re-authentication being done when the user logs on, could you verify that this should be done?
Kind regards,
Michiel
Wednesday, June 29, 2016 8:31 AM
Hi Michiel van Heerde,
>So it seems that there is no re-authentication being done when the user logs on, could you verify that this should be done?
Since we do not have physical device to implement the similar environment with you and test the real behavior, and we have struggled in this issue for a period of time, I would suggest opening a case with MS, so that more in-depth investigation will be done and you'll get a better solution much sooner.
If you want, here is the link:
https://support.microsoft.com/en-us/gp/support-options-for-business
Best Regards,
Anne
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Wednesday, June 29, 2016 8:56 AM
Hi Anne,
Thank you for your reply, I have opened a case and will report back if there is any progress.
Kind regards,
Michiel
Wednesday, June 29, 2016 8:57 AM
Hi Anne,
Thank you for your reply, I have opened a case and will report back if there is any progress.
Kind regards,
Michiel
It's kind of you :)
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Thursday, July 7, 2016 8:47 AM
Hi Michiel & MD,
Have you got any progress with the issue from MS?
Best Regards,
Anne
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Thursday, July 7, 2016 9:16 AM
Hi Anne,
Not yet, tomorrow we will do another webex session.
Kind regards,
Michiel
Tuesday, July 12, 2016 9:28 AM
Hi Michiel van Heerde,
It's kind of you to feed back and thanks for your sharing!
Best Regards,
Anne
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].