Hiya

We are also in a positoon here where we want to use machine accounts on the OAC client to get some connectivity to the machine using dot1x before a user logs in and are having some issues getting this to work.

We would be greatly interested to hear of anyone getting this to work and also what settings managed to acheive your required goal. So far we have not got the errors you see but its still early for us nd I suspect we will be posting morr info including logs shortly.

Any light that can be shed on this would be greatly appreciated.

TIA

I am really sorry about the delay in this.

We did manage to get it resolved using the means you mentioned and it did indeed require a call to JTAC to confirm the machine auth stuff. Like you, the JTAC guy was very knowledgeable too may be the same one hehe.

We then hit other issues on this install, namely down to cisco switches, dot1x and return atrributes needed.

Does seem that tehre is a lack of example docs for this particular product. The docs are good and do have indeed all the info we need, but its not obvious nor is it easy to find. I suspect that this will get corrected in time as the product gets used a lot more but it was rather disappointing and frustrating when we could not get decent detailed info on this.

Still a great product tho.

DM

Sounds like we've encountered a similar adventure. We're using Cisco 3560 switches and Avaya IP phones and getting all the pieces to play nicely took some time. We ended up using MAB for the phones since our Telecom folks have no interest in putting credentials into all of the phones. So now we have PCs doing machine and user auth connecting through the port on the Avaya phones which in turn connects to Cisco switches.

Rob

Indeed it was cisco switches but seimens phones,

Similar MAC auth (using wildcards) and much wailings and gnashings of teeth to find out that the cisco needed to have the voice vlan attrib passed to it when we enabled dot1x (when it quite happily functioned fine without it when dot1x was disabled)

All in all, a very interesting deployment but would have rather I been able to rely on example docs than through the school of harship hehe.

M

I had to find that too. In case anyone else reads this:

Attribute= Cisco-AVPAIR
Value= device-traffic-class=voice

Yup, thats it. You beat me to it.

I was looking for the details but you are obviously quicker.

So if you are trying to use machine auth with machine credentials then you can't use an LDAP realm.

You must use an AD auth server. If your AD server is 2008 then you should checkout the following KB:

http://kb.pulsesecure.net/KB14345

Thanks

-Jeff

Hi all

I've just come across this thread while doing some searching, and it's exactly what I'd like to do with our network also ... so I'm really happy to see that it's possible !

I just have a few questions though:

1. When you say that the authentication server must be AD and not LDAP - do you mean that a domain controller must authenticate the computer directly ? Or can the computer authenticate against a Juniper UAC product (IC4000 in our case probably) which then passes the credentials to AD ?

2. Can all of this be done over EAP without an IP address ? Or does the machine require an IP address in order to do the computer authentication ?

3. If it can be done without an IP address, can the machine do normal AD based "tasks" after it has successfully authenticated (and gotten an IP address) such as apply GPO etc ?

4. I think the answer to this is yes (based on what I've read above) but is it also possible to authenticate the user after the computer has been authenticated ?

Sorry, I realize this isn't my thread, but as it's related so closely to what I'm trying to do, I thought I'd reply here

Thanks again