Hi forum,I am just evaluating 802.1x authentication for our company and came across the "authentication mode" settings in Group Policy. The settings are described clearly in the help file, but what are the advantages/disadvantages of "computer only" authentication?I understand that if I enable user-only authentication Group Polices and Startup Scripts will not run at startup. The default and recommended setting is "user re-authentication", but - except from auditing- what is the advantage of this setting?Thank you for your answers!Regards,Dagmar

Hi Dagmar, Thank you for your post. As the description of the authentication modes says, by using user re-authentication mode, authentication is always performed by using the user credentials when a user logs on to the computer. It is more secure than the computer only authentication mode, which is always performed by using only the computer credentials. It means that every user who logs on to the computer can access the network, even if the user himself does not have a valid credential to pass the 802.1x authentication.

Hi,How's everything going?I'm wondering if the information is helpful or if you have any further questions. If there is anything unclear, please feel free to let me know.Have a nice day.

Hi,thank you for your answer.Is user-reauthentication really more secure than computer-only authentication? My concerns are:If a smartcard-based certificate is used for user-authentication, a malicious user can use this certificate to authenticate any device against the switch. If a certificate saved in the user's profile is used for reauthentication it could be stolen using various tools available on the Internet.Kind regards,Dagmar

Hi Dagmar, Thank you for your reply. The User re-authentication mode is not necessarily secure than that of computer only authentication. However, it ensures that the connection is always using the security credentials of the computer's current security context (computer credentials when no user is logged on and user credentials when a user is logged on). As a result, it is the recommended setting. Here is the description of the authentication modes for your reference: With user authenticationWhen users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is maintained with the computer credentials. If a user travels to a new wireless access point, authentication is performed using the user credentials. With user re-authenticationWhen users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user logs off of the computer, authentication is performed with the computer credentials. Computer onlyAuthentication is always performed by using the computer credentials. User authentication is never performed. Regarding your concerns, please remember that the certificate that does not have corresponding private key will not be used for the 802.1x authentication. For smartcard-based certificate, you must know the Personal Identification Number (PIN) in order to use the certificate. For the certificates stored in the user profile, the private key is stored in the RSA folder. The RSA folder are automatically encrypted with a random, symmetric key called the users master key . The users master key is generated by the RC4 algorithm in the Base or Enhanced CSP. RC4 generates a 128-bit key for computers with the Enhanced CSP (subject to cryptography export restrictions) and a 56-bit key for computers with only the Base CSP. The master key is generated automatically and is renewed periodically. And then, the users master key is encrypted by the password encryption key, which is produced by the Hash-Based Message Authentication Code (HMAC) and SHA1 message digest function and is a hash of: A symmetric encryption of the users master key produced by 160-bit RC4. The users security identifier (SID). The users logon password. As a result, if the user password meet the complexity requirement, I believe that it is secure enough. You may also refer to the following articles for additional information: Smart Card http://technet.microsoft.com/en-us/library/dd277376.aspx Major Components of the Public Key Infrastructure http://technet.microsoft.com/en-us/library/cc938848.aspx Thanks.

Hi, Just want to check if my explanation is helpful. If you have any questions or concerns, please feel free to let me know. Thanks.

Hi,thank you for your answer.Kind regards,Dagmar