Thanks. Yes that is what I am doing. I have it set for 802.1x first and then Mac auth. So if the client fails 802.1x they will get sent to NAC so I will be OK.
It's just stuck in my craw that this thing won't work especially when it works fine on wireless. I've seen others struggling with 802.1x on the wired side too during my research. I would say 802.1x is fully baked on wireless (accept on Macs of course) so why is it funky on wired? On Thu, May 9, 2013 at 1:35 PM, Brian Anderson - ASI < [email protected]> wrote: > Another option would be to use policy based routing and tagging traffic > with the Unregistered role to redirect client http traffic to nac captive > portal to authenticate. This way the non domain clients won't have to > configure their pcs for 8021x. > > On May 9, 2013, at 12:31 PM, "John Kaftan" <[email protected]> wrote: > > Yes I have tried that. I don't believe I see anything when it fails. I > will look again and will also check the syslog. > > > On Thu, May 9, 2013 at 1:26 PM, Herzog, Gerald <[email protected]>wrote: > >> Is there any username that is populated in NAC when it fails >> authentication? Have you tried specifying "user authentication"? >> <image.png> >> >> >> On Thu, May 9, 2013 at 1:17 PM, John Kaftan <[email protected]> wrote: >> >>> It works for me if I go into the network settings and save my >>> credentials. It also works if I have a machine that is in the domain and I >>> check "Automatically use my Windows logon name and password". That will >>> cover 90% of my cases. >>> >>> However, if a machine is not on the domain and connects I expect that I >>> should be prompted by the supplicant to provide credentials. That is the >>> part that is not working. >>> >>> Thanks >>> >>> John >>> >>> >>> On Thu, May 9, 2013 at 12:08 PM, Kay Avila <[email protected]> wrote: >>> >>>> John, we've only done limited testing, but so far, authenticating with >>>> 802.1x AD machine accounts on Windows 7 has worked successfully for us. >>>> Just a thought. >>>> >>>> >>>> On 5/7/2013 6:31 PM, John Kaftan wrote: >>>> >>>>> Actually it does work when I have that set. I tried that earlier >>>>> today. >>>>> Often in a university though machines are on the network that are not >>>>> part of the AD domain, like the first two I was working with. Its >>>>> crazy >>>>> that Windows won't respond the the first eap packet from the switch >>>>> unless credentials are configured to be provided automatically. >>>>> Wireless prompts just fine. I did some research and it seems that >>>>> 802.1x on wired is still unreliable. I found 7 patches to install and >>>>> it still doesn't work right. I wonder why wireless is fine but wired >>>>> isn't. The protocol has been around since 2002 or so. It should be >>>>> fully baked by now. >>>>> >>>>> John >>>>> >>>>> On May 7, 2013 7:11 PM, "Robert Perry" <[email protected] >>>>> <mailto:[email protected]>**> wrote: >>>>> >>>>> Have a look at this document, it may help. Specifically look at >>>>> section 1.1.10 - This would seem what “MIGHT” be missing ? >>>>> How >>>>> are you disconnecting and reconnecting from the network ? Are you >>>>> unplugging the cable ? If you actually logout, you should get >>>>> prompted for a new login. >>>>> >>>>> Best of luck ! >>>>> >>>>> Best Regards, >>>>> >>>>> Bob Perry >>>>> >>>>> *From:*John Kaftan [mailto:[email protected] >>>>> <mailto:[email protected]>] >>>>> *Sent:* Tuesday, May 07, 2013 2:43 PM >>>>> *To:* Enterasys Customer Mailing List >>>>> *Subject:* Re: [enterasys] Wired 802.1x >>>>> >>>>> >>>>> That's not good. I want to keep Admin-Edge. I do have 802.1x >>>>> listed as first. 802.1x is working just fine if I store my >>>>> credentials within the supplicate. My only problem is that I >>>>> cannot >>>>> get prompted by Windows. >>>>> >>>>> On Tue, May 7, 2013 at 1:34 PM, Brian Anderson - ASI >>>>> <[email protected] >>>>> <mailto:Brian@arcadiasecureit.**com<[email protected]>>> >>>>> wrote: >>>>> >>>>> There may be some switch config settings that might help. Try >>>>> setting 8021x as first in priority for authentication. I also have >>>>> seen admin-edge enabled on the end system port (spantree) cause >>>>> 8021x to fail also. >>>>> >>>>> Thanks, >>>>> >>>>> Brian Anderson >>>>> >>>>> [email protected] >>>>> <mailto:Brian@ArcadiaSecureIT.**com<[email protected]> >>>>> > >>>>> >>>>> >>>>> Network Engineer >>>>> >>>>> 3000 United Founders Boulevard, Suite 212 >>>>> >>>>> Oklahoma City, Oklahoma 73112 >>>>> >>>>> C +1 (501) 690-3305 <tel:%2B1%20%28501%29%20690-**3305> >>>>> >>>>> F +1 (405) 562-8669 <tel:%2B1%20%28405%29%20562-**8669> >>>>> >>>>> arcadia-secure-it2-long-small >>>>> >>>>> *From:*John Kaftan [mailto:[email protected] >>>>> <mailto:[email protected]>] >>>>> *Sent:* Tuesday, May 07, 2013 11:17 AM >>>>> >>>>> >>>>> *To:* Enterasys Customer Mailing List >>>>> >>>>> *Subject:* [enterasys] Wired 802.1x >>>>> >>>>> >>>>> Working to get 802.1x going on Win 7 wired ports. I have it >>>>> working >>>>> if I save my credentials in Windows. If I don't save my >>>>> credentials >>>>> Windows never prompts me for credentials. Packet captures suggest >>>>> that the client never responds to the initial eap packet from the >>>>> switch so the switch never sends the challenge. I have the Wired >>>>> AutoConfig service running. Any ideas? I've been messing with all >>>>> of the settings. I see this happening on two machines both of >>>>> which >>>>> do fine on wireless 802.1x. >>>>> >>>>> I am using B5s and NAC as my RADIUS server. >>>>> >>>>> Thanks >>>>> >>>>> * --To unsubscribe from enterasys, send email to >>>>> [email protected] >>>>> <mailto:[email protected]> with the body: unsubscribe enterasys >>>>> [email protected] >>>>> <mailto:Brian@arcadiasecureit.**com<[email protected]> >>>>> > >>>>> >>>>> * --To unsubscribe from enterasys, send email to >>>>> [email protected] >>>>> <mailto:[email protected]> with the body: unsubscribe enterasys >>>>> [email protected] <mailto:[email protected]> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> John Kaftan >>>>> >>>>> IT Infrastructure Manager >>>>> >>>>> Utica College >>>>> >>>>> * --To unsubscribe from enterasys, send email to >>>>> [email protected] >>>>> <mailto:[email protected]> with the body: unsubscribe enterasys >>>>> [email protected] <mailto:[email protected]> >>>>> >>>>> * --To unsubscribe from enterasys, send email to >>>>> [email protected] >>>>> <mailto:[email protected]> with the body: unsubscribe enterasys >>>>> [email protected] <mailto:[email protected]> >>>>> >>>>> * --To unsubscribe from enterasys, send email to [email protected] >>>>> <mailto:[email protected]> with the body: unsubscribe enterasys >>>>> [email protected] >>>>> >>>>> >>> >>> >>> -- >>> John Kaftan >>> IT Infrastructure Manager >>> Utica College >>> >>> >>> - --To unsubscribe from enterasys, send email to [email protected] >>> the body: unsubscribe enterasys >>> [email protected] >>> >>> >> >> >> -- >> >> *J*erry Herzog >> Solutions Engineer >> Enterasys Networks, Inc. >> A Siemens Enterprise Communications Company >> >> Mobile +1 330 224 6088 >> E-mail [email protected] >> >> Twitter: @JerryHerzog <http://twitter.com/#%21/@JerryHerzog> >> >> >> >> >> >> - --To unsubscribe from enterasys, send email to [email protected] the >> body: unsubscribe enterasys >> [email protected] >> >> > > > -- > John Kaftan > IT Infrastructure Manager > Utica College > > > - --To unsubscribe from enterasys, send email to [email protected] with > the body: unsubscribe enterasys [email protected] > > > - --To unsubscribe from enterasys, send email to [email protected] with > the body: unsubscribe enterasys [email protected] > > -- John Kaftan IT Infrastructure Manager Utica College --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
