802.1x wireless versus wired

Hello,

we have a network environment constisting of wireless AP and 'normal' wired
access. We use 802.1x successfully for our domain users. The authentication
method used is EAP-TLS.

Components used: AD,Enterprise CA, Windows 2003 servers, MS IAS and Windows
XP SP2 PC's

We now want to extend the 802.1x security to our wired switches (Cisco 35xx
I thought). These switches support 802.1x authentication and at first
everything seems to work fine.

However;
there seems to be a difference between 802.1x wireless and the wired
equivalent. With wireless we have both machine AND user authenication and
this works perfectly. The need for this is that the machine can log-on to
the domain without the need of a user logged on. This is helpfull in
spreading updates etc. to these machines. This also solves the problem that
when a user logs on, that there isn't a DC around (cause the network link
is still down)
The same is needed for the wired machines. But when we investigated the
logon and authenticaion process, it seems that on wired PC's only machine
authentication is done, and that user authentication is skipped somehow.

This behaviour is kiling for so-called userbased VLAN's (which would be the
next step). This would enables us to let the IT logon to any PC in the
network and be directed to the appropriate (management) VLAN.

B.t.w. this user-based VLAN (SSID) thing does work with wireless clients.

I found some articles on the EAP behaviours of XP, but this issue isn't
mentioned. Anyone else have any ideas?

Regards,

Willem

There is an opinion that for wired network ipsec is much better than 1x.

--PA

"Wimbo" <wimbo_online@_REMOVETHIS_hotmail.com> wrote in message news:iwpGf.177$(E-Mail Removed)...
> Hello,
>
> we have a network environment constisting of wireless AP and 'normal' wired
> access. We use 802.1x successfully for our domain users. The authentication
> method used is EAP-TLS.
>
> Components used: AD,Enterprise CA, Windows 2003 servers, MS IAS and Windows
> XP SP2 PC's
>
> We now want to extend the 802.1x security to our wired switches (Cisco 35xx
> I thought). These switches support 802.1x authentication and at first
> everything seems to work fine.
>
> However;
> there seems to be a difference between 802.1x wireless and the wired
> equivalent. With wireless we have both machine AND user authenication and
> this works perfectly. The need for this is that the machine can log-on to
> the domain without the need of a user logged on. This is helpfull in
> spreading updates etc. to these machines. This also solves the problem that
> when a user logs on, that there isn't a DC around (cause the network link
> is still down)
> The same is needed for the wired machines. But when we investigated the
> logon and authenticaion process, it seems that on wired PC's only machine
> authentication is done, and that user authentication is skipped somehow.
>
> This behaviour is kiling for so-called userbased VLAN's (which would be the
> next step). This would enables us to let the IT logon to any PC in the
> network and be directed to the appropriate (management) VLAN.
>
> B.t.w. this user-based VLAN (SSID) thing does work with wireless clients.
>
> I found some articles on the EAP behaviours of XP, but this issue isn't
> mentioned. Anyone else have any ideas?
>
> Regards,
>
> Willem
>

Pavel A. wrote:
> There is an opinion that for wired network ipsec is much better than 1x.
>
> --PA

I know that just 802.1x is *not* THE solution for secure network access.
However, the behaviour which occurs now makes it impossible to use
user-based vlans with wired 802.1x, because the user never gets authenticated.

I also contacted the switch (3750) vendor (Cisco), if they have any
experience with this. I doubt that I will receive any usable info, because
the EAPOL messages never seem to be sent from the computer. Hence making it
a PC/NIC/OS issue. The NIC has the latest drivers installed and the OS
(WinXP Pro SP2) has all available patches etc.
Since computer authentication, and user authentication works properly
seperately, but the combination of the two fails on wired, I'm guessing an
OS problem.

Correct me if my assumptions are incorrect.

Willem

>
> "Wimbo" <wimbo_online@_REMOVETHIS_hotmail.com> wrote in message news:iwpGf.177$(E-Mail Removed)...
>> Hello,
>>
>> we have a network environment constisting of wireless AP and 'normal' wired
>> access. We use 802.1x successfully for our domain users. The authentication
>> method used is EAP-TLS.
>>
>> Components used: AD,Enterprise CA, Windows 2003 servers, MS IAS and Windows
>> XP SP2 PC's
>>
>> We now want to extend the 802.1x security to our wired switches (Cisco 35xx
>> I thought). These switches support 802.1x authentication and at first
>> everything seems to work fine.
>>
>> However;
>> there seems to be a difference between 802.1x wireless and the wired
>> equivalent. With wireless we have both machine AND user authenication and
>> this works perfectly. The need for this is that the machine can log-on to
>> the domain without the need of a user logged on. This is helpfull in
>> spreading updates etc. to these machines. This also solves the problem that
>> when a user logs on, that there isn't a DC around (cause the network link
>> is still down)
>> The same is needed for the wired machines. But when we investigated the
>> logon and authenticaion process, it seems that on wired PC's only machine
>> authentication is done, and that user authentication is skipped somehow.
>>
>> This behaviour is kiling for so-called userbased VLAN's (which would be the
>> next step). This would enables us to let the IT logon to any PC in the
>> network and be directed to the appropriate (management) VLAN.
>>
>> B.t.w. this user-based VLAN (SSID) thing does work with wireless clients.
>>
>> I found some articles on the EAP behaviours of XP, but this issue isn't
>> mentioned. Anyone else have any ideas?
>>
>> Regards,
>>
>> Willem
>>
>
>