802.1X with Windows Login Pass-Thru

The majority of enterprise and federal clients are using 802.1x pass thru.

In a pass-through situation, the 802.1X supplicant on the laptop grabs the credentials entered, packages them in EAP (extensible authentication protocol, used in 802.1X) and passes them through to the network for decision-making. Most Microsoft environments using a login pass-thru will use EAP-PEAP (protected EAP) method of EAP to transmit the credentials.

Best used for: Medium to high security environments with homogeneous endpoints and operating systems that support native supplicants (Windows XP SP2 and later have the 802.1X supplicant built-in. Windows XP SP3 and later allow domain admins to manage the properties through group policy in AD.)

Pros: Pretty secure authentication since it’s using user credentials (versus machine logon). Easy to implement in the right environment and does not require a certificate infrastructure for the endpoints. Only the authentication server (RADIUS) needs a certificate to leverage PEAP.

Cons: Can be tricky in mixed environments with a variety of endpoints or in shared resource environments where logins may not be user-specific (ie labs with generic logon).