Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OAC machine authentication without certs

SOLVED
Go to solution
aronow_
Contributor
‎01-13-2010 03:12:PM
‎01-13-2010 03:12:PM

Re: OAC machine authentication without certs

1) Machine auth against an IC can happen at L2 (802.1x) The auth server type used on the IC MUST be AD, not LDAP. I know that "AD" has LDAP capabilities, but you can not do machine auth with an IC with an auth server of type LDAP pointing at an AD. The reason has to do with the type of auth being done. Its not possible to perform the type of auth over LDAP, only via the auth means employed by an auth server of type AD.

2) Machine auth with Machine credentials is possible with the OAC supplicant at L2 (802.1x, thus pre-IP address)

3) Yep, you can get machine GPO's. You can leave machine auth up if you only desire to auth the machine to the network. Some people like to auth the machine, and then auth the user. This is a more complex config as the timing can get a little awkward to make sure user GPO's get applied correctly since the supplicant has to disconnect the machine 802.1x auth, and authenticate as the user (this involves a small break in L3 network connectivity.) It works, but it can get a little tricky depending on your network setup and GPO configuration. I would strongly recommend testing this on your network before putting into production.

4) Yes this can work with the caveats mentioned in 3)

0 Kudos
y2k_
New Contributor
‎01-13-2010 03:36:PM
‎01-13-2010 03:36:PM

Re: OAC machine authentication without certs

wow ... quick reply ... thanks so much !!! You've answered all my questions perfectly

Just one final question - is it recommended to do both machine auth and user auth ? Or is the OAC machine auth considered to be reliable enough on it's own ? I'm just thinking of this from the point of view of rogue machines getting on the network

Thanks again, really do appreicate the help

0 Kudos
aronow_
Contributor
‎01-13-2010 07:30:PM
‎01-13-2010 07:30:PM

Re: OAC machine authentication without certs

It really depends on the security problem you are trying to solve.

If you are only worried about which workstations are on your network, then you only need machine auth. If you use domain logins for all the workstations, you don't have to do user network auth as they will still require authentication to get logged into the workstation. If you want to have different vlans for users vs computers, then you'll need to do machine auth and then switch to user auth.

All is configurable in the Odyssey Administrator.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.