Identity and Policy Control
Reply
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

IC layer 2 enforcement and users login to domain

Hi

We have IC4500 cluster and we are deploying it in layer 2 using 802.1x enforcement with 
Juniper EX switches. 

We are facing issue that PC connected to 802.1x enabled port on switch and users tries 
to login in to PC using its domain credential but offcourse PC does not have IP so its 
not able to contact to domain controller to authenticate and user is unable to login to 
pc.

Kindly suggest what is the way to solve this problem?
Contributor
Bart
Posts: 48
Registered: ‎08-21-2009
0

Re: IC layer 2 enforcement and users login to domain

Hi,

 

you could:

  1. use machine authentication, and switch to user authentication after login
  2. integrate oac into the boot process with GINA, however be aware there are some limitations on win 7 (now called credential provider)

regards

Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Re: IC layer 2 enforcement and users login to domain

Hi

 

Thank you very much for reply. I tried GINA with windows 7 and its not working every time OAC authenticated but when windoes try to login, it is giving me the error user or password not correct. I opened the JTAC case and still waiting for them :smileysad:

 

As regards to machine athentication. I am also facing problem that machine authentication is not working. I saw the logs in UAC and it showing me authentication failed :smileysad:  ............In the OAC Manager :

 

1- I created the User Profile

2- Machine Profile

3- Connection setting Machine authentication and drops connection when users logs in

 

Should I need some certificate on OAC for machine authentication ?? I have checked disable server verification but When it is uncheck then on OAC it is showing client certificate error some thing like this.

 

Kindly let me know what I am missing?

 

Looking forward for your response.

 

Thanks

Contributor
Stanislas P
Posts: 35
Registered: ‎10-18-2010
0

Re: IC layer 2 enforcement and users login to domain

Hi,

 

To use Machine Authentication with Machine AD account, you MUST use AD/NT authentication server and not LDAP authentication server.

 

http://forums.juniper.net/t5/Identity-and-Policy-Control/OAC-machine-authentication-without-certs/m-...

 

one other solution is to authenticate the PC with a certificate deployed by GPO.

 

To uncheck "Disable server verification" option, you must add the CA root of the IC certificate in the  trusted root CA of the machine account : 

- Launch MMC

- Add / Remove snap-in -> Add -> certificate -> Computer account -> local computer

- in Trusted root certification autority, All Task -> import

 

And then, add this CA in trusted servers section of Machine account in OAC.

 

Regards,

 

Stanislas

 

Contributor
Bart
Posts: 48
Registered: ‎08-21-2009
0

Re: IC layer 2 enforcement and users login to domain

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.