802.1X multiple factor authentication

  • 1
  • Question
  • Updated 3 years ago
This is one of those things that I literally find myself scratching my head about.  I've looked at a number of threads already, but they seem to suggest something that just isn't really going to work with our current infrastructure.

What I want to accomplish.  A verified user logs on with their own device (BYOD), they get shunted to a different VLAN and have only internet access.  A verified user logs on with a domain joined laptop, they get shunted to the main VLAN and can access their file shares and etc.

The primary solution always seems to revolve around authenticating the computer and not the user for domain joined laptops.

Why this won't work for us.  It isn't that this is a bad solution, it just cannot work with us.  We are a school, laptops often get shunted around between both staff and students.  We want only staff logged in with a domain joined laptop to be able to see the network.  It's pretty pointless if one of the students (using a loaner laptop because theirs has broken) is able to get access to the network.

Now, currently I'm just using an AP as a radius server, but I'm wondering if the only way to accomplish this is to do a full blown radius server installation.  Or, is there some qualification on the user profile side that can accomplish this?
Photo of Brandyn Baryski

Brandyn Baryski

  • 8 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Have you considered using IPsec on your domain laptops? Authenticate with machine authenticator via 802.1X (Layer 2) on such devices and then use IPsec (Layer 3), which will identify the user and control access after they log in interactively.

On the 802.1X front, the issue is fundamentally with the typical EAP types not supporting chaining (EAP-PEAP, EAP-TTLS and EAP-TLS), something which EAP-TEAP is meant to ultimately resolve.

The proper solution has to be getting the TEAP EAP type ratified and implemented in supplicants and authentication servers. That is sadly not going to be a remotely quick process.

(If you are prepared to use Cisco's AnyConnect as the supplicant on your domain joined laptops AND switch to using Cisco's RADIUS server, you can achieve what you want today.)
(Edited)