i am going tpo deploy UAC and have some questions:
1- is it required that the 802.1x to be enabled on the client PC, or the OAC is enough?
2- if the user is a member on the domain, and the 802.1x is enabled on the switch port, then he will not have an access to the domain controller to sign in using his domain account, because he still dont have an IP, so what to do?
1 - OAC contains the Oddyssey 802.1X supplicant. there is no need to activate Windows 802.1X supplicant.
2 - to allow users to authenticate in the domain, use Machine authentication based on machine certificate or AD/NT authentication server. the PC will be authenticated in the network during boot.
in IC configuration, you can choose :
- Certificate authentication : Add CA in Administration / Certificate / Trusted Client certificates, create a Certificate authentication server and use this Auth server in the realm used
- AD Authentication based on the host name / password on the domain. You must use AD/NT and not LDAP for machine authentication
in OAC, in tools / Oddyssey Access Client administrator / Connection settings / machine account, check "enable network connection using machine account".
Configure 802.1X authentication in tools / Oddyssey Access Client administrator / machine account as you configure user authentication in the main window.
thank you for the reply.
i already use the AD authentication server, and the role mapping is based on the users group membership, so what are the chages i have to do on the UAC to configure the machine authentication, like changing the role mapping (its now based on the group membership) or anything else?
do i have to build a new machine account on the odyessy agent?
in addition to the above, i have the below question:
- now if the plan to install the Odyessy is by informing the users to connect to the UAC site and then the agent to be installed automatically.
the question is: now the 802.1x is enabled on the switch and the users will have an access to anything without authentication, so how they can access the UAC to install the agent?
1. As stated in earlier posts, OAC odyssey client has a 802.1x supplicant and so windows 802.1x is not required to be enabled for 802.1x authentication.
2. Regarding your second question, YOU DO NOT REQUIRE any machine authentication enabled to accomplish the task.
OAC has a GINA module that uses the windows logon credentials to authenticate on the network with 802.1x.
For more information on GINA please take a look at
With this module, the user does not require to enter logon credentials twice - once for network and once for domain.
Hope this makes sense.
1. you got answer for your first question..that is very simple
2. but for second, you should study and experience yourself as its quite difficult to get what Stanislas P is trying to say..but further if you need any guidance i can help you in deployment. i deployed it recently in an organization in Pakistan.
Actually i ll feel pleasure if i can help you in any regard as you also belongs to Pakistan. I am giving my cell no.
Raja M Kamran
I am new to Juniper arena....well, i have a couple of questions and i read the thread also.
1> Is it mandatory to use OAC or i can use JunOS Pulse for the 802.1x without any issue. I heard it will support only EAP-TTLS but that is no issue as long as it works ? please confirm ?
2> How to make sure that clients junospulse is started in background once the users login with theri windows AD 2008 login credentials ?