1)Load the CA Certificate onto IC's Trusted Client CA certificates list and select the cert status checking to what ever that suits your deployment. you can set it to none if you are confused. and make sure you select "Trusted for Client Authentication?" checkbox and save settings.

2)Create a new Certificate Auth Server, give a name to it and just save changes. nothing much to configure here.

3)Create a New Authentication Protocol set. you can have two possible configurations here(choose any one):

a) remove EAP-TTLS and EAP-PEAP from the selected protocols list and add EAP-TLS and save the auth protocol set by giving some name to it.
b) remove EAP-TTLS from the selected protocols list and under PEAP section remove exisitng entries under selected protocols and add EAP-TLS only and save the auth protocol set.

4)you need to have protocol config in OAC profile as well:

a)Create a Profile in OAC and uncheck permit login using password check box.

b)under authentication tab, remove EAP-TTLS and add EAP-TLS or EAP-PEAP depending upon what auth protocol set you created on IC. if you selected EAP-PEAP, goto PEAP tab and remove existing protocols and add EAP-TLS

5)Under User Infro->Certificate tab select "permit login using my certificate" and "user automatic cert selection"

6)use this profile in OAC for authenticating to IC.

7)Create a sign-in URL in IC which uses the just created auth protocols set and assosciate it with a realm which uses the just created certificate auth server. create roles as per your requirement.

8)create Location group and attach it to this sign-in URL, add radius clients and create radius attribute policies as per your requirement

let me know if things are not working.

problems with this config is:

1)you won't be able to do host checks

2)you won't be able to use Firewall as Infranet Enforcer with Infranet Auth policies

reply if you need to any of the above things. I can suggest other options.

thanks

Hi

Thanks for your immediate response, but i m facing few difficulties......

3)Create a New Authentication Protocol set. you can have two possible configurations here(choose any one): a) remove EAP-TTLS and EAP-PEAP from the selected protocols list and add EAP-TLS and save the auth protocol set by giving some name to it. b) remove EAP-TTLS from the selected protocols list and under PEAP section remove exisitng entries under selected protocols and add EAP-TLS only and save the auth protocol set.

Manoj where is this feature in IC-4000's interface, i cant find anything like this..

Few more questions for you:

1. I wanna check patches, OS version, Installed applications like Oracle, MS Office etc.
2. Also whether IC-4000 can update Patches or Antivirus automatically..???
3. one more thing i wanna check a registry entry, if this entry is not available on a client system it should be disallowed to access network and also send mail to Administrator.
4. Domain name must be verified first before assigning IP address by DHCP.

Also tell me how can i use ISG-1000 Firewall as an enforcer with 802.1x (Computer Certificates).

Or give me suggestions what changes can be done to my scenario to achieve required goals .

Thanks / Regards,

Raja M Kamran

> where is this feature in IC-4000's interface, i cant find anything like this..

hi

I am still facing difficulties in login using certificates.....give me suggestions what to do..????

i have told you i wanna check computer certificates not user....but in OAC properties when i click on certificate it shows only user's certificates not computer certs.

if u want to give suggestions regarding changes in scenarios plz go ahead.

i m tired now....it is very................................................difficult

actually my Goals are

1. 802.1x implementation using only computer certificates...users have no certificates
2. dynamic vlan assignment based on computer groups(department wise)
3. AV, Patches check and remediation
4. Remediation Vlan assignment if point no. 3 fails
5. Quarantine Vlan assignment if point no. 1 fails (computer has no certificate)

Question arises in my mind..!!!

• whether i use firewall as a inforcer or not ???..why.???
• Is it possible both computer certficates checking and group membership checking (2 different servers CA /AD)..??
• what configurations are required at client (OAC configuration) + XPSP3 802.1x configuration..??

Plz help me.!!!!!

Raja M Kamran

your problem description "802.1x authentication using computer certificates" mislead me to think that you are using certificate authentication :=) .

1)Use AD as auth server for the realm and create role mapping rules based on AD group lookup and map users to 3 roles(dept role, remediation role and quarantine role in same order)

2)make sure that Certificate CA is added in trusted CA list on IC

3)on IC, create 3 Host Checker Policies

a) Custom:Antivirus Policy for checking Antivirus on user's computer. configure what AV parameters you want to check

b) Customatch Assement Policy for checking Patches for specific softwares on user's PC

c) Custom:Machine Certificate policy for checking computer certificate. make sure you select proper which

issued the machine certificate. you can also configure other certificate parameters you want to check for.

4)Assign all three HC policies to dept role and assign Machine Cert HC policy to Remediation role and leave Quarantine role without any HC policies.

5)Now create Radius Attribute policies for each role in following order:

a) Applies to Dept Role and returns dept's VLAN ID

b) Applies to Remediation Role and returns Remediation role's VLAN ID

c) Applies to Quaratine Role and returns Quarantine role's VLAN ID

Question arises in my mind..!!!

• whether i use firewall as a inforcer or not ???..why.???

• Is it possible both computer certficates checking and group membership checking (2 different servers CA /AD)..??

• what configurations are required at client (OAC configuration) + XPSP3 802.1x configuration..??

Nothing fancy. just add the adapter on which you are doing 802.1x and select the profile you want to use and configure required username/password settings in profile.

hi

Thanks alot Mr. Manoj for your kind help now i m on my way...i just upgraded my IC now these option are available to me like Authentication protocol set, actually i was using UAC 2.0 R2 version...

Now i ll tell u soon about my progress ....

Once again i m very grateful for ur quick and helpful responses ..

one thing i wanna ask which certificate attributes i can use for checking Client system validation..

reply me with CA attributes..

Thanks

Take gr8care

Raja M Kamran

New AD users won't be able to login to Windows as machine doesn't have cached credentials of the new user locally.

How to get it to Work: You can enable 'GINA' in OAC

When GINA is enabled: after windows user give his username password(in Windows login prompt), OAC captures the credentials, pauses Windows Login and then authenticates user with IC and puts the machine into authorised VLAN(based on your config) and then allows Windows to continue its logon process. when Windows starts login process, machine has IP Address so that it can reach Domain Controller to authenticate new user.

Please refer OAC Admin guide and OAC user guide to know about how to enable GINA in OAC.

Thanks

Manoj

one more thing i found out IC doesnt check computer / machine membership in groups...!!! is it true.??

bcz i have added user and computer in same group suppose Finance, then it was working when i removed user from finance and then login again it didnt get finance Vlan...why..???

thanks

Raj