Wednesday, 18 July 2012

802.1X Remote desktop (RDP) user authentication

When connecting through remote desktop (RDP) to machines that are connected to 802.1X enabled switch ports (for example in Cisco ISE installations), connectivity issues, and session failures and disconnection issues could happen. Most of these issues are related to the fact that native 802.1X supplicants don't authenticate and authorize users that connect through RDP. Access lists on port are left as you have machine with no user logged on it. In most cases these ACLs allow only traffic for logging user on domain etc., and remote desktop traffic is not allowed by these ACLs. We have resolved this issue by using Cisco AnyConnect Secure Mobility Client with Network Access Manager - NAM module, as it behaves better and eliminates this problem by authenticating and authorizing user that is connecting through RDP and granting all rights and expected ACLs.

Cisco ISE - duplicate IP address on Windows 7

Windows 7 sometimes reports IP address conflict (duplicate IP address warning message) when connected to 802.1X enabled ports while device tracking feature is used on switch. Device tracking is used in most Cisco ISE designs. You can check if you have device tracking on switch with:
switch#sh run | inc trackin
ip device tracking
switch#
This usually happens on Windows Vista, Windows 2008 and Windows 7 clients, when disconnecting and connecting again (or shut no shut on switch), after locking and unlocking, or logging off and then logging on. Reason behind this is that windows machines could send ARP packets at the same time the switch is probing for device status. Possible solutions are:
Solution 1 - Delay ip device tracking ARP probe for few seconds (you should have IOS version that supports this command).
Switch(config)# ip device tracking [probe {delay interval}]
ARP packet will be sent few seconds after link-up, and it will not happen at same time when windows 7 clients send first ARP packets. For example:
switch(config)#ip device tracking probe delay 5

Solution 2 - Disable gratuitous ARP in Windows registry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] Set ArpRetryCount (32-bit DWORD) to 0 If you decide to use second method, please be sure to manage duplicate address problem with some other controls on switches or elsewhere.

With device tracking probe delay we had really good results, and believe there is no need for registry tuning (and problem with it is that when new machine with default registry settings is connected, you will again get same duplicate IP address problem).

Disclaimers: This is a personal weblog. The opinions expressed here are entirely my own and not those of my employer and/or its affiliates. This material is not sponsored or endorsed by Cisco Systems, Inc. Cisco, Cisco Systems, CCIE and the CCIE Logo, CCDP, CCNA and CCDA are trademarks of Cisco Systems, Inc. and its affiliates.