RE: IEEE 802.1x & dynamic vlan assignment

• Previous message: Tevfik Karagülle: "RE: SharePoint securization"
• Maybe in reply to: Devanathan.Balaji_at_Datacraft-Asia.com: "IEEE 802.1x & dynamic vlan assignment"
• Next in thread: Devanathan.Balaji_at_Datacraft-Asia.com: "RE: IEEE 802.1x & dynamic vlan assignment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 17 Aug 2005 14:25:05 -0700
To: <focus-ms@securityfocus.com>

You have to force re-authentication on logon. Here is an excerpt for
deploying dot1x on cisco switches.

You must configure the 802.1X client to send an EAP-logoff (Stop)
message to the switch when the user logs off. If you do not configure
the 802.1X client, an EAP-logoff message is not sent to the switch and
the accompanying accounting Stop message will not be sent to the
authentication server. Refer to the Microsoft Knowledge Base article at
the URL: http://support.microsoft.com. Also refer to the Microsoft
article at the URL:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/colum
ns/cableguy/cg0703.asp, and set the SupplicantMode registry to 3 and the
AuthMode registry to 1.

Here is some more info on the specifics of those keys
---------

AuthMode Registry Entry

The setting of the AuthMode registry entry controls the computer and
user authentication behavior of Windows XP and Windows Server 2003.
Registry path

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\Au
thMode
Version

Windows XP and Windows Server 2003

AuthMode has the following values:
*

0 - Computer authentication mode. If computer authentication is
successful, no user authentication is attempted. If the user logon is
successful before computer authentication, user authentication is
performed. This is the default setting for Windows XP (prior to Service
Pack 1).
*

1 - Computer authentication with re-authentication. If computer
authentication is successful, a subsequent user logon results in a
re-authentication with user credentials. The user logon has to complete
in 60 seconds or the existing network connectivity is terminated. The
user credentials are used for subsequent authentication or
re-authentication. Computer authentication is not attempted again until
the user logs off the computer. This is the default setting for Windows
XP Service Pack 1 (SP1) and Windows Server 2003.
*

2 - Computer authentication only. When a user logs on, it has no effect
on the connection. Only computer authentication is performed. The
exception to this behavior is when a user successfully logs on, and then
roams between wireless APs. In that case, user authentication is
performed. For changes to this setting to take effect, restart the
Wireless Zero Configuration service for Windows XP or Windows Server
2003.
SupplicantMode Registry Entry

The setting of the SupplicantMode registry entry specifies the
transmission behavior of the EAPOL-Start message when authenticating.
Registry path

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\Su
pplicantMode
Version

Windows XP and Windows Server 2003

SupplicantMode has the following values:
*

1 - Do not transmit. Specifies that EAPOL-Start messages are not sent.
*

2 - Transmit. Determines when to send EAPOL-Start messages and, if
needed, sends an EAPOL-Start message.
*

3 - Transmit per 802.1x. Sends an EAPOL-Start message upon association
to initiate the 802.1X authentication process.

HTH

Cameron Kim
Mitsubishi Digital Electronics America

-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
Sent: Wednesday, August 17, 2005 10:53 AM
To: Devanathan.Balaji@datacraft-asia.com
Cc: focus-ms@securityfocus.com
Subject: Re: IEEE 802.1x & dynamic vlan assignment

Yes. That happened to me too...

The solution I took was to force the 802.1x switch to re-authenticate
quite often. What kind of switches are you using?

Regards,
Rodrigo.

On 8/17/05, Devanathan.Balaji@datacraft-asia.com
<Devanathan.Balaji@datacraft-asia.com> wrote:
> Hi,
>
> Has anyone tested dynamic vlan assignment through dot1x . I am trying

> to implement this with PEAP authentication with Windows Active
> directory. When I reboot the windows pc the vlan assignment is
> happening properly. But when I logoff from the domain and login as a
> different user the vlan is not getting assigned immediately, but works
after the re authentication timeout.
> I feel that Windows XP client is not sending EAPOL-logoff message. Can

> anyone help in this
>
> Regards
> Devanathan.B
>
> -----Original Message-----
> From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
> Sent: Tuesday, August 09, 2005 12:00 PM
> To: offtopic
> Cc: focus-ms@securityfocus.com
> Subject: Re: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server
>
> In fact, I was thinking of just using user certificates (no need for
> personal computers to be on-line while noone is logged on), and
> storing them on the profile of each user, on their computer.
>
> And, unfortunately, PEAP is not an option either.
>
> Surfing thorugh MS doc., I had read that through CAPICOM scripts or
> batches using certreq.exe against the MS Certificate Services 2003, it

> is possible to "emulate" (by programming...) the Active Directory 2003
> - Certificate Services 2003 integrated auto-enrollment and
> auto-installation of the users' certificates.
>
> However, I have no idea if this is applicable to Certificate Services
> 2000, if it is a pragmatic solution, and whether it is reasonably easy

> to set up.
>
> Any experience using this tools? Would it be crazy to focus the
> project in this direction?
>
> Thanks again and best regards,
> Rodrigo.
>
> On 8/9/05, offtopic <offtopic@mail.ru> wrote:
> > > - Although the MS Certificate Services are in standalone mode, can

> > > I still configure some auto-enrollment based on the users' AD
> > > logon? If not, what is the best option in order to minimize
> > > administrative effort?
> >
> > No. AFAIK, Only Enterprise CA can be used for auto-enrollment. You
> > can
> choose PEAP MSCHAPv2 for client authentication instead. In this case
> you don't need to manage client-side certificates and revocation.
> > If you need to use client certificates - create new Enterprise
> > Subordinate
> CA for issue client certificates.
> >
> > > - Since MS Certificate Services are in standalone mode, is it
> > > possible to have the IAS server map certificates to AD users
> >
> > You can bind user-to-certificate manually in AD, but I think this is

> > not
> best solution.
> >
> > > If you could point me to any paper or step-by-step guide that can
> >
> >
> http://www.altavista.com/web/results?itag=ody&q=site%3Amicrosoft.com+8
> 02.1x+
> step-by-step&kgs=0&kls=0 ????
> >
> >
> > PS. You want to use client certificates, where you will store it? In

> > local
> profile, or on smartcard?
> > Will you authenticate computer or user or both?
> >
> >
> > (c)oded by offtopic@mail.ru
> >
> >
>
> ----------------------------------------------------------------------
> -----
> ----------------------------------------------------------------------
> -----
>
>
> **********************************************************************
> ****** This email and all contents are subject to the following
> disclaimer:
>
> http://www.datacraft-asia.com/disclaimer
> **********************************************************************
> ******
>
>

------------------------------------------------------------------------

---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Tevfik Karagülle: "RE: SharePoint securization"
• Maybe in reply to: Devanathan.Balaji_at_Datacraft-Asia.com: "IEEE 802.1x & dynamic vlan assignment"
• Next in thread: Devanathan.Balaji_at_Datacraft-Asia.com: "RE: IEEE 802.1x & dynamic vlan assignment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]