You can't use 802.1x Vlan assignment with clientless configuration.
clientless need Infranet Enforcer (ScreenOS or Junos Firewall) as Layer 3 enforcer.
802.1x need either OAC or JunOS Pulse. with one of these clients, the host is checked before the first VLAN assignment. there is no temporary vlan assignement as some other unsecured NAC competitors.
Thanks a million Stanislas.
I thought i could make this work with the agentless mode, just using the native windows supplicant. I shall implement using OAC and let us know how it goes. Here are a few questions needing prompt response regaring this deployment:
1. I get this debug message from my Cisco switch on the port connecting to my PC. Any idea what this is sbout?
04:35:30: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/2.
2. I have an AD server connected to the MAG for user authentication. However, each time i try to authenticate a user via the AD, i get the following error message:
2011-11-22 18:58:29 - ic - [0.0.0.0] ZENITHLAB\testuser2(TestRealm) - Radius authentication rejected for ZENITHLAB\testuser2 (realm 'TestRealm') from location-group 'Firstfloor' and attributes are: NAS-IP-Address = 10.0.1.99,NAS-Port = 50002,NAS-Port-Type = 15
2011-11-22 18:58:29 - ic - [0.0.0.0] ZENITHLAB\testuser2(TestRealm) - Login failed using auth server ZenithAD (Samba). Reason: Failed
2011-11-22 18:58:29 - ic - [0.0.0.0] ZENITHLAB\testuser2(TestRealm) - Primary authentication failed for ZENITHLAB\testuser2/ZenithAD from 00-21-86-F2-F5-16
Please could be wrong with my setup?
I'm not sure about your setup, but:
- If you make the HC evaluation at the realm level, you can then make a role mapping rule based on the status of the Host Checker (if HC=OK -> role employee, else -> role quarantine).
- You can make vlan assignment without agent, but it is needed if you want host checker.
I'm pretty sure you can allow agent AND agentless client to a same realm, by selecting the rights protocols in protocol set, then make distinction with role mapping rules.
With an AD configuration, make sure the NTP is configured on IC/MAG and its the same than AD server, cause this type of authentication requires time sync to work (linked to kerberos tickets I think), and it can generate authentication failed log you linked. Please make sur that the username is in the right format by the policy tracing option, you may need to remove/add the realm suffix to the username value.
Hope it will help.