I want to know how GINA works in terms of:
1- With GINA user first login to OAC then OAC gets the IP address and put the user on the network
2- Then windows login using the same credentials
Am I correct in understanding this?
OAC GINA is used in enabling network authentication to occur before the user is authenticated against the AD.
This helps similar to the single sign on where the user is not required to enter login credentials twice.
Generally when 802.1x is implemented for L2 authentication, the user is not allowed to send any traffic through the switch port before L2 authentication is performed.
GINA captures the user credentials from windows logon dialog, delays the log on process on windows and uses the credentials to authenticate on the network.
Once the Authentication is done, windows log on process occurs as usual.
In this scenario, authentication is happening in two stages, 1- authenticating on the network 2 - authenticating to the domian.
OAC GINA is a replacement of Windows GINA module, that helps Odyssey Client to perform network authentication using windows logon credentials.
This requires the user to enter credentials only once while actually the authentication is happening 2 times.
Hope this helps.
no, there is no Single Sign On capabilities in Pulse presently.
If only using 802.1x without using juniper firewalls as Infranet Enforcers you could also use the inbuilt windows / mac / linux 802.1x client instead of OAC and get SSO.
Aeroplane, one misconception many people have is that OAC obtains the IP address after logon.
This is actually an incorrect assumption. Once the 802.1x authentication has occured, OAC will open the network port. This causes a media connect message to be sent to the DHCP client on the PC. The DHCP client is the one ultimately responsible for obtaining the IP address for the workstation.
JTAC gets many calls where the user is blaming OAC for not getting an IP address when in fact it is a problem on the OS side.