802.1x wireless versus wired

Discussion in 'Wireless Networking' started by Wimbo, Feb 8, 2006.

  1. Wimbo

    Wimbo Guest

    Hello,

    we have a network environment constisting of wireless AP and 'normal' wired
    access. We use 802.1x successfully for our domain users. The authentication
    method used is EAP-TLS.

    Components used: AD,Enterprise CA, Windows 2003 servers, MS IAS and Windows
    XP SP2 PC's

    We now want to extend the 802.1x security to our wired switches (Cisco 35xx
    I thought). These switches support 802.1x authentication and at first
    everything seems to work fine.

    However;
    there seems to be a difference between 802.1x wireless and the wired
    equivalent. With wireless we have both machine AND user authenication and
    this works perfectly. The need for this is that the machine can log-on to
    the domain without the need of a user logged on. This is helpfull in
    spreading updates etc. to these machines. This also solves the problem that
    when a user logs on, that there isn't a DC around (cause the network link
    is still down)
    The same is needed for the wired machines. But when we investigated the
    logon and authenticaion process, it seems that on wired PC's only machine
    authentication is done, and that user authentication is skipped somehow.

    This behaviour is kiling for so-called userbased VLAN's (which would be the
    next step). This would enables us to let the IT logon to any PC in the
    network and be directed to the appropriate (management) VLAN.

    B.t.w. this user-based VLAN (SSID) thing does work with wireless clients.

    I found some articles on the EAP behaviours of XP, but this issue isn't
    mentioned. Anyone else have any ideas?

    Regards,

    Willem
    Wimbo, Feb 8, 2006
    #1
    1. Advertising

  2. Wimbo

    Pavel A. Guest

    There is an opinion that for wired network ipsec is much better than 1x.

    --PA

    "Wimbo" <wimbo_online@_REMOVETHIS_hotmail.com> wrote in message news:iwpGf.177$...
    > Hello,
    >
    > we have a network environment constisting of wireless AP and 'normal' wired
    > access. We use 802.1x successfully for our domain users. The authentication
    > method used is EAP-TLS.
    >
    > Components used: AD,Enterprise CA, Windows 2003 servers, MS IAS and Windows
    > XP SP2 PC's
    >
    > We now want to extend the 802.1x security to our wired switches (Cisco 35xx
    > I thought). These switches support 802.1x authentication and at first
    > everything seems to work fine.
    >
    > However;
    > there seems to be a difference between 802.1x wireless and the wired
    > equivalent. With wireless we have both machine AND user authenication and
    > this works perfectly. The need for this is that the machine can log-on to
    > the domain without the need of a user logged on. This is helpfull in
    > spreading updates etc. to these machines. This also solves the problem that
    > when a user logs on, that there isn't a DC around (cause the network link
    > is still down)
    > The same is needed for the wired machines. But when we investigated the
    > logon and authenticaion process, it seems that on wired PC's only machine
    > authentication is done, and that user authentication is skipped somehow.
    >
    > This behaviour is kiling for so-called userbased VLAN's (which would be the
    > next step). This would enables us to let the IT logon to any PC in the
    > network and be directed to the appropriate (management) VLAN.
    >
    > B.t.w. this user-based VLAN (SSID) thing does work with wireless clients.
    >
    > I found some articles on the EAP behaviours of XP, but this issue isn't
    > mentioned. Anyone else have any ideas?
    >
    > Regards,
    >
    > Willem
    >
    Pavel A., Feb 11, 2006
    #2
    1. Advertising

  3. Wimbo

    Wimbo Guest

    Pavel A. wrote:
    > There is an opinion that for wired network ipsec is much better than 1x.
    >
    > --PA


    I know that just 802.1x is *not* THE solution for secure network access.
    However, the behaviour which occurs now makes it impossible to use
    user-based vlans with wired 802.1x, because the user never gets authenticated.

    I also contacted the switch (3750) vendor (Cisco), if they have any
    experience with this. I doubt that I will receive any usable info, because
    the EAPOL messages never seem to be sent from the computer. Hence making it
    a PC/NIC/OS issue. The NIC has the latest drivers installed and the OS
    (WinXP Pro SP2) has all available patches etc.
    Since computer authentication, and user authentication works properly
    seperately, but the combination of the two fails on wired, I'm guessing an
    OS problem.

    Correct me if my assumptions are incorrect.

    Willem

    >
    > "Wimbo" <wimbo_online@_REMOVETHIS_hotmail.com> wrote in message news:iwpGf.177$...
    >> Hello,
    >>
    >> we have a network environment constisting of wireless AP and 'normal' wired
    >> access. We use 802.1x successfully for our domain users. The authentication
    >> method used is EAP-TLS.
    >>
    >> Components used: AD,Enterprise CA, Windows 2003 servers, MS IAS and Windows
    >> XP SP2 PC's
    >>
    >> We now want to extend the 802.1x security to our wired switches (Cisco 35xx
    >> I thought). These switches support 802.1x authentication and at first
    >> everything seems to work fine.
    >>
    >> However;
    >> there seems to be a difference between 802.1x wireless and the wired
    >> equivalent. With wireless we have both machine AND user authenication and
    >> this works perfectly. The need for this is that the machine can log-on to
    >> the domain without the need of a user logged on. This is helpfull in
    >> spreading updates etc. to these machines. This also solves the problem that
    >> when a user logs on, that there isn't a DC around (cause the network link
    >> is still down)
    >> The same is needed for the wired machines. But when we investigated the
    >> logon and authenticaion process, it seems that on wired PC's only machine
    >> authentication is done, and that user authentication is skipped somehow.
    >>
    >> This behaviour is kiling for so-called userbased VLAN's (which would be the
    >> next step). This would enables us to let the IT logon to any PC in the
    >> network and be directed to the appropriate (management) VLAN.
    >>
    >> B.t.w. this user-based VLAN (SSID) thing does work with wireless clients.
    >>
    >> I found some articles on the EAP behaviours of XP, but this issue isn't
    >> mentioned. Anyone else have any ideas?
    >>
    >> Regards,
    >>
    >> Willem
    >>

    >
    >
    Wimbo, Feb 13, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oli
    Replies:
    3
    Views:
    835
  2. =?Utf-8?B?ZGZhdG92aWM=?=

    wireless can't access wired. But Wired can access wireless

    =?Utf-8?B?ZGZhdG92aWM=?=, Feb 4, 2005, in forum: Wireless Networking
    Replies:
    5
    Views:
    1,242
    Carey Holzman
    Feb 5, 2005
  3. Greg
    Replies:
    5
    Views:
    491
  4. UFGrayMatter

    Wireless can't see Wired, Wired Can't Access Wireless

    UFGrayMatter, Aug 14, 2006, in forum: Wireless Networking
    Replies:
    0
    Views:
    1,079
    UFGrayMatter
    Aug 14, 2006
  5. Peter Potamus the Purple Hippo

    Re: Mozilla versus IE versus Opera versus Safari

    Peter Potamus the Purple Hippo, May 8, 2008, in forum: Firefox
    Replies:
    0
    Views:
    715
    Peter Potamus the Purple Hippo
    May 8, 2008
Loading...

Share This Page