Identity and Policy Control
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
aeroplane
Contributor
aeroplane
Posts: 656
Registered: ‎06-30-2009
0

IC layer 2 enforcement and users login to domain

Options

‎12-07-2010 10:25 AM 

Hi

We have IC4500 cluster and we are deploying it in layer 2 using 802.1x enforcement with 
Juniper EX switches. 

We are facing issue that PC connected to 802.1x enabled port on switch and users tries 
to login in to PC using its domain credential but offcourse PC does not have IP so its 
not able to contact to domain controller to authenticate and user is unable to login to 
pc.

Kindly suggest what is the way to solve this problem?
Message 1 of 5 (2,852 Views)
 
Reply
Bart
Contributor
Bart
Posts: 48
Registered: ‎08-21-2009
0

Re: IC layer 2 enforcement and users login to domain

Options

‎12-13-2010 12:16 AM

Hi,

 

you could:

  1. use machine authentication, and switch to user authentication after login
  2. integrate oac into the boot process with GINA, however be aware there are some limitations on win 7 (now called credential provider)

regards

Message 2 of 5 (2,794 Views)
 
Reply
aeroplane
Contributor
aeroplane
Posts: 656
Registered: ‎06-30-2009
0

Re: IC layer 2 enforcement and users login to domain

Options

‎12-26-2010 10:54 AM

Hi

 

Thank you very much for reply. I tried GINA with windows 7 and its not working every time OAC authenticated but when windoes try to login, it is giving me the error user or password not correct. I opened the JTAC case and still waiting for them :smileysad:

 

As regards to machine athentication. I am also facing problem that machine authentication is not working. I saw the logs in UAC and it showing me authentication failed :smileysad:  ............In the OAC Manager :

 

1- I created the User Profile

2- Machine Profile

3- Connection setting Machine authentication and drops connection when users logs in

 

Should I need some certificate on OAC for machine authentication ?? I have checked disable server verification but When it is uncheck then on OAC it is showing client certificate error some thing like this.

 

Kindly let me know what I am missing?

 

Looking forward for your response.

 

Thanks

Message 3 of 5 (2,531 Views)
 
Reply
Stanislas P
Contributor
Stanislas P
Posts: 35
Registered: ‎10-18-2010
0

Re: IC layer 2 enforcement and users login to domain

Options

‎12-28-2010 02:36 AM

Hi,

 

To use Machine Authentication with Machine AD account, you MUST use AD/NT authentication server and not LDAP authentication server.

 

http://forums.juniper.net/t5/Identity-and-Policy-Control/OAC-machine-authentication-without-certs/m-...

 

one other solution is to authenticate the PC with a certificate deployed by GPO.

 

To uncheck "Disable server verification" option, you must add the CA root of the IC certificate in the  trusted root CA of the machine account : 

- Launch MMC

- Add / Remove snap-in -> Add -> certificate -> Computer account -> local computer

- in Trusted root certification autority, All Task -> import

 

And then, add this CA in trusted servers section of Machine account in OAC.

 

Regards,

 

Stanislas

 

Message 4 of 5 (2,486 Views)
 
Reply
Bart
Contributor
Bart
Posts: 48
Registered: ‎08-21-2009
0

Re: IC layer 2 enforcement and users login to domain

Options

‎12-28-2010 09:41 AM

Hi

 

see http://forums.juniper.net/t5/Identity-and-Policy-Control/OAC-GINA-with-Windows-7/td-p/43126

 

Regards

Message 5 of 5 (2,470 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.