thanks a lot Rob great video as usual, I have one question, could this be used authenticate users logging on the Cisco switch, rather than a network device, as well?
@@HSula-jj2wn thanks for watching! You can use RADIUS authentication to login to a Cisco switch however they are only capable of using PAP for credentials and certificates can’t be used. It is still utilized in environments since LDAP is not an option for SSH access.
An excellent follow up video from part 1. Do you have a video that describes the basics of a chain of authority? I think I understand the high level issues of it but I’ve found your process of demonstration to be very easy to learn from. For instance I needed to double back on video 1 and check into how to import the CA very as the root trust and intermediate trust certificates. Thanks for making these available!
Hey Steven, I do not have a video the covers chain of authority. The closer you get to the parent issuing Root Certificate Authority usually the more expensive your certificate is. The Parent root CA is the only authority that needs to be added to the "Trusted Root Certificate Authority" store. All the other issuing authorities under the parent (the top of the chain) should be added to the "Intermediate Trusted Certificate Authority" store. The issued certificate should be added to the Local Machine > My certificate store. It is suggested to not add Intermediate CA's to the "Trusted Root Certificate Authority" store. I have not seen it ever cause issues but maybe it can.
@@OsbornePro okay. I’m not in a place yet where all of this makes total sense. Much like your videos though I will break it down into pieces and use it as a basis for research. Thank you for the time taken to reply.
@@OsbornePro Hey there, Had to learn and troubleshoot an AP issue that was interfering in a way that I didn't anticipate but i got that sucker working. Thanks again and enjoy that coffee!
@UCrawMnpxLJy6Jtj4Br3rPFg Oh no it looks like you are right. I didn't take it that way at all thanks so much for saying something. I apparently misunderstood the documentation and misinterpreted what was causing which log messages. I need to get that corrected
This is a fantastic video (along with part 1). Thank you so much for posting this detail! I have one question, with 2 parts. Do you know if it is possible to configure management access (via ssh, web, etc.) to the Cisco SG-300 switch (and would also eventually need to do it on Catalyst and CBS series) using 802.1x? And further, can the switch use an NPS RADIUS Server to authenticate both the management access AND port-based access for wired/wireless? It seems the settings are there to do this, but I tried to follow the steps in part1 and part2 of this video to set it up, but have not been able to get the SG-300 to communicate with the NPS RADIUS server using 802.1X. I have only been successful with "Unencrypted authentication (PAP, SPAP)" as the Authentication Method in the Network Policy on NPS. TIA for any guidance on this.
Thanks for watching! Yes I am pretty sure the Cisco SG-300 switches can use RADIUS for authentication. The caveat to that is you cant use certificates for authentication. Cisco only allows you to use PAP. Really when PAP is used by RADIUS it does not actually send the password in plaintext. It uses an XOR cipher combining the password with an MD5 hash based on a shared secret. This is considered to be insecure and it is one of those cyber security situations where it is just easier to say it is in plain text. For all intents and purposes we can say its "reversible". The web GUI access can utilize LDAP over SSL for authentication but SSH can not on Cisco devices. Depending on the size of your network you may or may not want to implement RADIUS authentication for your Cisco devices. If you have a large network with multiple admins accessing your networking devices or contractors that access them than definitely I would not hesitate to implement RADIUS auth with PAP. If there are say 3 or fewer people that can do more than read the switch's config access to a switch I would stick with local authentication. Or if you have thousands of networking devices and 3 people, RADIUS is much more scalable use that
Thank you for sharing information. I have a question, i am trying to connect linux machind using 802.1x wired authentication method and its failing to connect. This machine has not koined the domain. I am getting user credentials mismatch error. Please share your valuable feedback. Thank you
@@KhalidAmin-f7x thanks for watching, sounds like the same thing I have seen with Macs. If you check the NPS event logs it probably says it can’t find the account. If that is the case you won’t be able to use EAP-TLS to authenticate Linux devices unless they are domain joined
Thank you for posting this video! If this will be configured in a existing wired infrastructure... - I get that using NTRadPing on a workstation joined to the domain, NTRadping window will show: Access=Accept. - in a workstation not joined in the domain, the NTRadping will show: Access-Reject. the NTRadping shows the difference by displaying accept or reject My question is, how do I see the difference between the two without having to use NTradping? -Does a workstation not joined in a domain CANNOT access all the other server, ie. file servers? -Does a workstation not joined in a domain cannot ping joined workstations?
I have not used NTRadPing before but appreciate you mentioning it as it looks like a very useful tool. When I troubleshoot RADIUS i typically check the NPS server logs in Windows Event Viewer under the Custom Log Windows created "Network Policy Logs" I think they are called. They provide clear information that is easy to interpret 90% of the time. If there is no evidence of a connection there you can check the Windows Event Viewer > Applications and Services > Microsoft > Windows > EapMethods-RasTls or EapHost logs to look for issues dealing with encryption mismatches or configuration issues on the client. NTRadPing appears to use PEAP and not EAP-TLS which I gathered from the username/password fields it uses. A windows workstation does not need to be domain joined to use EAP-TLS for authentication. An Apple workstation will require a non-domain joined Root CA to issue it a certificate in order to successfully authenticate to your EAP-TLS wifi network.
Can you explain how to get mab working with dot1x? Basically I need anything with a cert to authenticate, but for devices like printers/phones that can’t take a cert, I am trying to use MAB. I added the approved macs to my list on my Cisco switch.And it says authenticated. But won’t connect. Do I need to add the macs so where in radius? I’m just using Cisco switch and NPS no ise
@@vladimirarias-antonov9584 thanks for watching! I would suggest taking a look at this article for the NPS side of things documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_MS_Switches
Is it same process when you are having multiple switches connected to the windows radius server? same setup with switch also? do i need to put a trunk port on the second switch
Thanks for watching! Yes it is the same process when you have multiple switches connected to the windows RADIUS server. The desktops and other devices are your Supplicants. The switches are your Authenticators, and the RADIUS server is the Authentication Server. All three are required to perform the RADIUS communication. You configure RADIUS on your Desktop/Device switches. You do not need to configure RADIUS on your core switch if your traffic flow is for example DESKTOP ------------> SWITCH ---> CORE SWITCH ---> SWITCH ---> RADIUS SERVER
Hey thanks for watching, yes In your Group Policy Object you will want to enable the (Wired Autoconfig) dot3svc service so it starts automatically on the devices. If that service is not enabled, no authentication will be attempted
Hey I have a quick question about 802.1X authentication properties on the switch. We are using an SG200-50 and I had the authentication method set to none the entire time I was testing. I would continuously get authentication failed but at the same time, the switch would show me as being authenticated. The event viewer logs showed that I wasn't receiving a response to the response identity packet. After changing to RADIUS for authentication method on the switch, all of the packets show in wireshark from request identity, through request EAP-TLS, to success. The switch still shows are authenticated, and the NPS has an event viewer log for my host, not username and shows as successfully authenticated. So are you sure it should be none instead of RADIUS?
Also, in the event log details it does specify the correct connection request name, correct network policy name, the correct authentication server, and the EAP type is Microsoft: Smart Card or other certificate. Authentication type says EAP, and not EAP-TLS, though as states above I can see in wireshark traffic that between the supplicant and the client it switches over to TLS 1.2. Just wanting to make sure I'm not missing something.
Hey Im having the exact same issues or concerns too. I get authentication failed but I'll connect to the internet if "fallback to unauthorized network access" is checked. So has anyone figured this out or have an answer?
What if NPS server is on another switch. Would you need to set some commands in this switch in order for authentication traffic between supplicant and server to flow?
Thanks for watching! If you have Distribution Layers switches and Access layer switches, you would only need to configure the switches that supplicants are directly plugged into. So your Authenticators would be the Access layer switches. If you have a Cisco ACS for example acting as yoru RADIUS/NPS server the configuration on the Access layer switches would stil be the same configuration. Does that answer your question?
@@OsbornePro I think so, if I understand correctly only switches that has supplicants need to be configured with 802.1x and switches with only servers (NPS) don’t need any 802.1x config
Usually its going to be the Calling-Sation-Id, in this situation he's using EAP-TLS so the certificate the device was issued will have it's name in the certificate metadata.
Thank you for the tutorials! I did manage to get this working, but when I restart the computer, it won't connect to the network until after I log in and click the "Sign in" pop ups. It's acting like the GPO is tied to the user level and not the machine. Is that how its suppose to work? Is there a way to have it authenticate before the user signs in and not have to be prompted to connect to the server? I did check the box "Don't prompt users to authorize new servers..." at 7:32 in the video, but that just makes the computer fail authentication.
For anyone here looking for issues that is in my boat. What I ended up finding is that Windows 11 has an issue with the CA servername if it has capital letters as in our case. What ended up working for me is the field "Connect to these servers" as shown in 8:55 I unchecked rather than deleteing my CA and renaming to all lowercase. In part 1 for wireless, this was left blank so I tried it on the wired connection just to see. I do not not know the long term implications of this, but it seems to work for me. I can still grant access and revoke access with the machine group in AD. If I am wrong here please let me know. Again, Great work @OsbornePro TV. Very helpful tutorials! My next task is to figure out what to do with my deskphones and printers.
Thanks for watching! Thank you for posting the update on your comment. Not sure if I included this in the videos or not but the "Connect to these servers" area is case sensitive and relies on the CN/Subject value of the Root CA certificates. You do not necessarily have to define these values but it is a good idea to because it established a more hardened RADIUS configuration.
Thanks for watching! It is best practice to have as few extra services running on a Domain Controller as possible. It is also best practice to have a Root CA server only running Certificate Services. Sometimes rules need to be broken however, a Production environment should never have the CA role installed on it. Most CAs will have a web server role which would open up port 80 and/or 443. A Root CA hosting a SCEP service open to the internet for MDM will 443 open to the internet. All kinds of limitations and bad situations can arise when that practice is not followed.
@@OsbornePro okay i got it. Thank you so much 😊. I just begin in windows server and I don’t know how to create this « root CA » you were talking about cause the only thing I know is that you need Active Directory before to install CA so I’m a bit confused. I think a video from you might helped me. Thank you 🙏🏾
I have a question on how this would work with VOIP. Our phones connect to the switch and then our systems connect to the phone. We use a different vlan for voice.
With VoIP on your 802.1X Switch you will want to enable "multi-domain authentication" to the port. Using "single" will only authenticate the computer and allow any other connections on that port to be established. Off hand I know Yealink phones it is basically impossible to use RADIUS because you cannot add any CA's to the trusted store. Polycom phones allow you to do so. Instead of assigning each individual phone an EAP-TLS certificate I would suggest creating a PEAP certificate for a specified user and add that same cert to all of the phones for easy management. I am doing a video on that next. It has been a busy couple of weeks unfortunately for my UA-cam work
@@OsbornePro Thanks for the reply. Unfortunately, we can't add the certificate to our phones. They are locked by the vendor. Our Cisco switches have a feature that allows voip traffic through with port-security turned on. I don't have it working yet but apparently it does work. The voip traffic needs to one a voice vlan "switchport voice vlan xxxx"
@@gordoncook5365 If you are not able to add certificates to the phones then I would not recommend using 802.1X for authentication for the phones. This is because you would be trusting a certificate anyone is able to obtain. You can still use 802.1X for the computers attached and not use 802.1X for the phones when using "multi-host" mode. Here is the Cisco documentations descriptions. NOTE: In the video I was confused by some of the results and told you the wrong thing. At 14:06 you need to select RADIUS, None or RADIUS to use 802.1X and not none. RADIUS, None will still allow desktops and such to be authenticated if the RADIUS server can not be reached. In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one IP phone is allowed for the voice VLAN. In multihost mode, only one 802.1x supplicant is allowed on the port, but an unlimited number of non-802.1x hosts are allowed on the access VLAN. An unlimited number of devices are allowed on the voice VLAN.
@@gordoncook5365 Right on no problem. When I troubleshoot those issues I check the NPS logs on the server to verify whether or not the RADIUS server is receiving the authentication requests. If the fix is related to the Network Policy on the RADIUS server the event logs are pretty good for narrowing down what is wrong. If the server is not receiving the authentication requests I check on the RADIUS profile on the switch first. You want to make sure the domain name is defined on the switch as well as the domains DNS servers. Then when you add the RADIUS server to the switch configuration I suggest using the CN/Subject Name on the RADIUS servers certificate. Once I know all that is correct look at the supplicant profile. If you are using server name validation in the certificate profile, the "Connect to these authentication servers" is ticked. This requires you to define your RADIUS servers. When doing this the CN/Subject Name on your RADIUS servers certificate is case sensitive here. If that does not work I check the CAPi2 logs for SSL issues, I check the EapMethods-RasTLs for RADIUS issues, and WLAN AUtoconfig logs for configuration issues. Hope this provides a little more help
Thanks for watching! I plan on doing on Always on VPN video in the near future. If it helps in the meantime, I put together a powershell script that can be used to create client profiles on remote machines. github.com/OsbornePro/ConfigTemplates/blob/main/New-AOVPNClientProfile.ps1 The above script assumes that the VPN profile being created is using a PEAP tunnel with EAP-TLS user and computer certificates for authenticating an IKEv2 tunnel. It uses strong encryption methods, certificate verification, server verification, disables NetBIOS and IPv6, and uses Split Tunneling so only traffic destined for the remote network goes to the remote network. Microsoft provides one in their documentation I tried using originally but it does not work. I get Access Denied errors in Windows 10 and it does not work on Windows 11. They "suggest"/want you to purchase an InTune subscription to deploy Always on VPN. This script if set as a logon script will prevent the need for that purchase to manage Always on VPN profiles. The Microsoft script and documentation I am referring too can be read here docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections Richard Hicks is a huge resource for any DirectAccess and Always on VPN. He tried to improve Microsoft's script for Windows 11. He talks about it here directaccess.richardhicks.com/2022/02/07/always-on-vpn-powershell-script-issues-in-windows-11/
![Securing RADIUS with EAP-TLS [Windows Server 2019]](http://i.ytimg.com/vi/SgAjEuCAFzE/mqdefault.jpg)
![Securing RADIUS with EAP-TLS [Windows Server 2019]](/img/tr.png)
![Securing LDAP over SSL Safely [Windows Server 2019]](http://i.ytimg.com/vi/8rlk2xDkgLw/mqdefault.jpg)
thanks a lot Rob great video as usual, I have one question, could this be used authenticate users logging on the Cisco switch, rather than a network device, as well?
@@HSula-jj2wn thanks for watching! You can use RADIUS authentication to login to a Cisco switch however they are only capable of using PAP for credentials and certificates can’t be used. It is still utilized in environments since LDAP is not an option for SSH access.
@@OsbornePro thanks a lot for the answer. Cheers!
An excellent follow up video from part 1. Do you have a video that describes the basics of a chain of authority? I think I understand the high level issues of it but I’ve found your process of demonstration to be very easy to learn from. For instance I needed to double back on video 1 and check into how to import the CA very as the root trust and intermediate trust certificates.
Thanks for making these available!
Hey Steven, I do not have a video the covers chain of authority. The closer you get to the parent issuing Root Certificate Authority usually the more expensive your certificate is. The Parent root CA is the only authority that needs to be added to the "Trusted Root Certificate Authority" store. All the other issuing authorities under the parent (the top of the chain) should be added to the "Intermediate Trusted Certificate Authority" store. The issued certificate should be added to the Local Machine > My certificate store. It is suggested to not add Intermediate CA's to the "Trusted Root Certificate Authority" store. I have not seen it ever cause issues but maybe it can.
@@OsbornePro okay. I’m not in a place yet where all of this makes total sense. Much like your videos though I will break it down into pieces and use it as a basis for research. Thank you for the time taken to reply.
@@OsbornePro Hey there, Had to learn and troubleshoot an AP issue that was interfering in a way that I didn't anticipate but i got that sucker working. Thanks again and enjoy that coffee!
@@Smaxey843 thanks you sir much appreciated!
Thanks you so much ! I finaly have 802.1x (wired) working ! Great explanation
Right on nice work! Thanks for watching
Also, to be clear. I am not bashing your video at all, you have made some great videos with great content and thorough explanations.
@UCrawMnpxLJy6Jtj4Br3rPFg
Oh no it looks like you are right. I didn't take it that way at all thanks so much for saying something. I apparently misunderstood the documentation and misinterpreted what was causing which log messages. I need to get that corrected
@@OsbornePro Just wanted to make sure. Thanks for the response and keep up the good tutorials. Definitely already subscribed.
@@McFunctional thanks brother will do!
This is a fantastic video (along with part 1). Thank you so much for posting this detail! I have one question, with 2 parts. Do you know if it is possible to configure management access (via ssh, web, etc.) to the Cisco SG-300 switch (and would also eventually need to do it on Catalyst and CBS series) using 802.1x? And further, can the switch use an NPS RADIUS Server to authenticate both the management access AND port-based access for wired/wireless? It seems the settings are there to do this, but I tried to follow the steps in part1 and part2 of this video to set it up, but have not been able to get the SG-300 to communicate with the NPS RADIUS server using 802.1X. I have only been successful with "Unencrypted authentication (PAP, SPAP)" as the Authentication Method in the Network Policy on NPS. TIA for any guidance on this.
Thanks for watching! Yes I am pretty sure the Cisco SG-300 switches can use RADIUS for authentication. The caveat to that is you cant use certificates for authentication. Cisco only allows you to use PAP.
Really when PAP is used by RADIUS it does not actually send the password in plaintext. It uses an XOR cipher combining the password with an MD5 hash based on a shared secret. This is considered to be insecure and it is one of those cyber security situations where it is just easier to say it is in plain text. For all intents and purposes we can say its "reversible".
The web GUI access can utilize LDAP over SSL for authentication but SSH can not on Cisco devices. Depending on the size of your network you may or may not want to implement RADIUS authentication for your Cisco devices. If you have a large network with multiple admins accessing your networking devices or contractors that access them than definitely I would not hesitate to implement RADIUS auth with PAP. If there are say 3 or fewer people that can do more than read the switch's config access to a switch I would stick with local authentication. Or if you have thousands of networking devices and 3 people, RADIUS is much more scalable use that
Thank you for sharing information. I have a question, i am trying to connect linux machind using 802.1x wired authentication method and its failing to connect. This machine has not koined the domain. I am getting user credentials mismatch error. Please share your valuable feedback. Thank you
@@KhalidAmin-f7x thanks for watching, sounds like the same thing I have seen with Macs. If you check the NPS event logs it probably says it can’t find the account. If that is the case you won’t be able to use EAP-TLS to authenticate Linux devices unless they are domain joined
Thank you for posting this video!
If this will be configured in a existing wired infrastructure...
- I get that using NTRadPing on a workstation joined to the domain, NTRadping window will show: Access=Accept.
- in a workstation not joined in the domain, the NTRadping will show: Access-Reject.
the NTRadping shows the difference by displaying accept or reject
My question is, how do I see the difference between the two without having to use NTradping?
-Does a workstation not joined in a domain CANNOT access all the other server, ie. file servers?
-Does a workstation not joined in a domain cannot ping joined workstations?
I have not used NTRadPing before but appreciate you mentioning it as it looks like a very useful tool. When I troubleshoot RADIUS i typically check the NPS server logs in Windows Event Viewer under the Custom Log Windows created "Network Policy Logs" I think they are called. They provide clear information that is easy to interpret 90% of the time. If there is no evidence of a connection there you can check the Windows Event Viewer > Applications and Services > Microsoft > Windows > EapMethods-RasTls or EapHost logs to look for issues dealing with encryption mismatches or configuration issues on the client. NTRadPing appears to use PEAP and not EAP-TLS which I gathered from the username/password fields it uses. A windows workstation does not need to be domain joined to use EAP-TLS for authentication. An Apple workstation will require a non-domain joined Root CA to issue it a certificate in order to successfully authenticate to your EAP-TLS wifi network.
user testing and debugs would be helpful. good video to get one started though.
Thanks for the feedback, much appreciated
Can you explain how to get mab working with dot1x? Basically I need anything with a cert to authenticate, but for devices like printers/phones that can’t take a cert, I am trying to use MAB. I added the approved macs to my list on my Cisco switch.And it says authenticated. But won’t connect. Do I need to add the macs so where in radius? I’m just using Cisco switch and NPS no ise
@@vladimirarias-antonov9584 thanks for watching! I would suggest taking a look at this article for the NPS side of things
documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_MS_Switches
Thank you this is great
Is it same process when you are having multiple switches connected to the windows radius server? same setup with switch also? do i need to put a trunk port on the second switch
Thanks for watching! Yes it is the same process when you have multiple switches connected to the windows RADIUS server. The desktops and other devices are your Supplicants. The switches are your Authenticators, and the RADIUS server is the Authentication Server. All three are required to perform the RADIUS communication. You configure RADIUS on your Desktop/Device switches. You do not need to configure RADIUS on your core switch if your traffic flow is for example
DESKTOP ------------> SWITCH ---> CORE SWITCH ---> SWITCH ---> RADIUS SERVER
after making GPO for Wired Network Policy , do we need to manually enable "Wired AutoConfig" service on user end to perform authentication ?
Hey thanks for watching, yes In your Group Policy Object you will want to enable the (Wired Autoconfig) dot3svc service so it starts automatically on the devices. If that service is not enabled, no authentication will be attempted
Hey I have a quick question about 802.1X authentication properties on the switch. We are using an SG200-50 and I had the authentication method set to none the entire time I was testing. I would continuously get authentication failed but at the same time, the switch would show me as being authenticated. The event viewer logs showed that I wasn't receiving a response to the response identity packet. After changing to RADIUS for authentication method on the switch, all of the packets show in wireshark from request identity, through request EAP-TLS, to success. The switch still shows are authenticated, and the NPS has an event viewer log for my host, not username and shows as successfully authenticated. So are you sure it should be none instead of RADIUS?
Also, in the event log details it does specify the correct connection request name, correct network policy name, the correct authentication server, and the EAP type is Microsoft: Smart Card or other certificate. Authentication type says EAP, and not EAP-TLS, though as states above I can see in wireshark traffic that between the supplicant and the client it switches over to TLS 1.2. Just wanting to make sure I'm not missing something.
Hey Im having the exact same issues or concerns too. I get authentication failed but I'll connect to the internet if "fallback to unauthorized network access" is checked. So has anyone figured this out or have an answer?
What if NPS server is on another switch. Would you need to set some commands in this switch in order for authentication traffic between supplicant and server to flow?
Thanks for watching! If you have Distribution Layers switches and Access layer switches, you would only need to configure the switches that supplicants are directly plugged into. So your Authenticators would be the Access layer switches.
If you have a Cisco ACS for example acting as yoru RADIUS/NPS server the configuration on the Access layer switches would stil be the same configuration. Does that answer your question?
@@OsbornePro I think so, if I understand correctly only switches that has supplicants need to be configured with 802.1x and switches with only servers (NPS) don’t need any 802.1x config
@@masteralbo Yes exactly
I do not understand how the radius server knows the machine name. Where is that in the radius request? Is it a specific attribute?
Usually its going to be the Calling-Sation-Id, in this situation he's using EAP-TLS so the certificate the device was issued will have it's name in the certificate metadata.
^ What he said :) Thanks for watching! Thanks for the help @Patmorgan235Us
Thank you for the tutorials! I did manage to get this working, but when I restart the computer, it won't connect to the network until after I log in and click the "Sign in" pop ups. It's acting like the GPO is tied to the user level and not the machine. Is that how its suppose to work? Is there a way to have it authenticate before the user signs in and not have to be prompted to connect to the server? I did check the box "Don't prompt users to authorize new servers..." at 7:32 in the video, but that just makes the computer fail authentication.
For anyone here looking for issues that is in my boat. What I ended up finding is that Windows 11 has an issue with the CA servername if it has capital letters as in our case. What ended up working for me is the field "Connect to these servers" as shown in 8:55 I unchecked rather than deleteing my CA and renaming to all lowercase. In part 1 for wireless, this was left blank so I tried it on the wired connection just to see. I do not not know the long term implications of this, but it seems to work for me. I can still grant access and revoke access with the machine group in AD. If I am wrong here please let me know.
Again, Great work @OsbornePro TV. Very helpful tutorials! My next task is to figure out what to do with my deskphones and printers.
Thanks for watching! Thank you for posting the update on your comment. Not sure if I included this in the videos or not but the "Connect to these servers" area is case sensitive and relies on the CN/Subject value of the Root CA certificates. You do not necessarily have to define these values but it is a good idea to because it established a more hardened RADIUS configuration.
PLS
why didn't you created the CA server directly on the DC?
Thanks for watching! It is best practice to have as few extra services running on a Domain Controller as possible. It is also best practice to have a Root CA server only running Certificate Services. Sometimes rules need to be broken however, a Production environment should never have the CA role installed on it. Most CAs will have a web server role which would open up port 80 and/or 443. A Root CA hosting a SCEP service open to the internet for MDM will 443 open to the internet. All kinds of limitations and bad situations can arise when that practice is not followed.
@@OsbornePro okay i got it. Thank you so much 😊. I just begin in windows server and I don’t know how to create this « root CA » you were talking about cause the only thing I know is that you need Active Directory before to install CA so I’m a bit confused. I think a video from you might helped me. Thank you 🙏🏾
I have a question on how this would work with VOIP. Our phones connect to the switch and then our systems connect to the phone. We use a different vlan for voice.
With VoIP on your 802.1X Switch you will want to enable "multi-domain authentication" to the port. Using "single" will only authenticate the computer and allow any other connections on that port to be established.
Off hand I know Yealink phones it is basically impossible to use RADIUS because you cannot add any CA's to the trusted store. Polycom phones allow you to do so.
Instead of assigning each individual phone an EAP-TLS certificate I would suggest creating a PEAP certificate for a specified user and add that same cert to all of the phones for easy management. I am doing a video on that next. It has been a busy couple of weeks unfortunately for my UA-cam work
@@OsbornePro Thanks for the reply. Unfortunately, we can't add the certificate to our phones. They are locked by the vendor. Our Cisco switches have a feature that allows voip traffic through with port-security turned on. I don't have it working yet but apparently it does work. The voip traffic needs to one a voice vlan "switchport voice vlan xxxx"
@@gordoncook5365 If you are not able to add certificates to the phones then I would not recommend using 802.1X for authentication for the phones. This is because you would be trusting a certificate anyone is able to obtain. You can still use 802.1X for the computers attached and not use 802.1X for the phones when using "multi-host" mode. Here is the Cisco documentations descriptions.
NOTE: In the video I was confused by some of the results and told you the wrong thing. At 14:06 you need to select RADIUS, None or RADIUS to use 802.1X and not none. RADIUS, None will still allow desktops and such to be authenticated if the RADIUS server can not be reached.
In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN.
In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one IP phone is allowed for the voice VLAN.
In multihost mode, only one 802.1x supplicant is allowed on the port, but an unlimited number of non-802.1x hosts are allowed on the access VLAN. An unlimited number of devices are allowed on the voice VLAN.
@@OsbornePro I guess I wasn't very clear. It is multi-host mode that I am talking about. Thanks
@@gordoncook5365 Right on no problem. When I troubleshoot those issues I check the NPS logs on the server to verify whether or not the RADIUS server is receiving the authentication requests. If the fix is related to the Network Policy on the RADIUS server the event logs are pretty good for narrowing down what is wrong. If the server is not receiving the authentication requests I check on the RADIUS profile on the switch first. You want to make sure the domain name is defined on the switch as well as the domains DNS servers. Then when you add the RADIUS server to the switch configuration I suggest using the CN/Subject Name on the RADIUS servers certificate. Once I know all that is correct look at the supplicant profile. If you are using server name validation in the certificate profile, the "Connect to these authentication servers" is ticked. This requires you to define your RADIUS servers. When doing this the CN/Subject Name on your RADIUS servers certificate is case sensitive here. If that does not work I check the CAPi2 logs for SSL issues, I check the EapMethods-RasTLs for RADIUS issues, and WLAN AUtoconfig logs for configuration issues. Hope this provides a little more help
Nice, not enough documentation for the wired 802.1x part
Thanks for watching! I am with you, the information is not centralized at all and it is hard to find a good resource
can you upload EAP-TLS Certificate based authentication for vpn
Thanks for watching! I plan on doing on Always on VPN video in the near future. If it helps in the meantime, I put together a powershell script that can be used to create client profiles on remote machines.
github.com/OsbornePro/ConfigTemplates/blob/main/New-AOVPNClientProfile.ps1
The above script assumes that the VPN profile being created is using a PEAP tunnel with EAP-TLS user and computer certificates for authenticating an IKEv2 tunnel. It uses strong encryption methods, certificate verification, server verification, disables NetBIOS and IPv6, and uses Split Tunneling so only traffic destined for the remote network goes to the remote network. Microsoft provides one in their documentation I tried using originally but it does not work. I get Access Denied errors in Windows 10 and it does not work on Windows 11. They "suggest"/want you to purchase an InTune subscription to deploy Always on VPN. This script if set as a logon script will prevent the need for that purchase to manage Always on VPN profiles. The Microsoft script and documentation I am referring too can be read here docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections
Richard Hicks is a huge resource for any DirectAccess and Always on VPN. He tried to improve Microsoft's script for Windows 11. He talks about it here directaccess.richardhicks.com/2022/02/07/always-on-vpn-powershell-script-issues-in-windows-11/