Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

361

362

363

364

365

366

367

368

369

370

Configuring 802.1X Authentication

RoamAbout Mobility System Software Configuration Guide 17-15

Binding User Authentication to Machine Authentication

BondedAuth™(bondedauthentication)isasecurityfeaturethatbindsan802.1Xuser’s

authenticationtoauthenticationofthemachinefromwhichtheuserisattemptingtologon.When

thisfeatureisenabled,MSSauthenticatesauseronlyifthemachinefromwhichtheuserlogson

hasalreadybeenauthenticated

separately.

Bydefault,MSSdoesnotbinduserauthenticationtomachineauthentication.Atrustedusercan

logonfromanymachineatt achedtothenetwork.

YoucanuseBondedAuthwithMicrosoftWindowsclientsthatsupportseparate802.1X

authenticationforthemachineitselfandforauserwhousesthemachine

tologontothenetwork.

NetworkadministratorssometimesusemachineauthenticationinaMicrosoftActiveDirectory

domaintorunloginscripts,andtocontroldefaults,applicationaccessandupdates,andsoon.

BondedAuthprovidesanaddedsecuritymeasure,byensuringthatatrustedusercanlogonto

thenetwork

onlyfromatrustedmachineknowntoActiveDirectory.

Forexample,ifuserbob.mycorp.comhasatrustedlaptopPCusedforworkbutalsohasa

personallaptopPC,youmightwanttobindBob’sauthenticationwiththeauthenticationofhis

workplacelaptop,host/bob‐laptop.mycorp.com.Inthiscase,Bobcanlog

ontothecompany

networkonlyfromhisworklaptop.

WhenBondedAuthisenabled, MSSretainsinformationaboutthemachine’ssessionwhenauser

logsonfromthatmachine.MSSauthenticatestheuseronlyiftherehasalreadybeenasuccessful

machineauthentication.Evidenceofthemachine’ssessioninMSS

indicatesthatthemachinehas

successfullyauthenticatedandisthereforetru st edbyMSS.IfMSSdoesnothavesession

informationforthemachine,MSSrefusestoauthenticatetheuseranddoesnotallowtheuser

ontothenetworkfromtheunauthenticatedmachine.

Authentication Rule Requirements

BondedAuthrequiresan802.1Xauthenticationruleforthemachineitself,andaseparate 8 02.1X 

authenticationrulefortheuser(s).Usethebondedoptionintheuserauthenticationrule,butnot

inthemachineauthenticationrule.

Theauthenticationruleforthemachinemustbehigherupinthelistofau thentication

rulesthan

theauthenticationrulefortheuser.

Youmustuse802.1Xauthenticationrules.The802.1Xauthenticationruleforthemachinemust

usepass‐throughastheprotocol.EnterasysNetworksrecommendsthatyoualsousepass‐

throughfortheuser’sauthentica tionrule.

Theruleforthemachineandtherule

fortheusermustuseaRADIUSservergroupasthemethod.

(Generally,inaBondedAuthconfiguration,theRADIUSserverswilluseauserdatabasestored

onanActiveDirectoryserver.)

(Foraconfigurationexample,see“BondedAuthConfigurationExample”onpage 17‐17.)

EnterasysNetworksrecommendsthatyoumake

therulesasgeneralaspossible.Forexample,if

theActiveDirectorydomainismycorp.com,thefollowinguserglobsmatchonallmachinenames

andusersinthedomain:

Note: If the 802.1X reauthentication parameter or the RADIUS Session-Timeout parameter is

applicable, the user must log in before the 802.1X reauthentication timeout or the RADIUS session-

timeout for the machine’s session expires. Normally, these parameters apply only to clients that use

dynamic WEP, or use WEP-40 or WEP-104 encryption with WPA or RSN.