# RDP with 802.1x Machine and User Authentication



## jhardin80 (Jun 2, 2014)

Here is the background:

I've just started testing 802.1x and this is what I have so far, MS Radius (NPS) Win 2012 R2, HP Procurve 5412s, 5406s and 2910s all up-to-date, and mostly Win 7 machines. I have quite a few VLANs and when a computer comes up it gets machine authenticated and is put into a VLAN so it gets an IP and we can continue to update it and access it. When a user logs in they get User authenticated, depending on what department they are in, they get moved to another VLAN. 

All this works GREAT!!! Until you bring RDP into the mix. If nobody is logged into the machine I can RDP to it just fine but RDP only uses machine authentication so it stays in that machine VLAN.

If a user is already logged into that machine and they have moved to another VLAN and I try to RDP to that machine then the RDP will not let me connect, once that first RDP is timed out it re-authenticates the machine and moves it back to the machine VLAN and then I can RDP to it. 

How is everyone else dealing with this issue if you are using machine and user authentication? Is there something else I can do besides doing only machine authentication or reconfiguring how I want this all to work. We have people that need to be on certain VLANs but also they need to be able to RDP to the machines and telling them they need to log off their machine prior to RDPing to it isn't a solution.

Thanks in advance
Jason


----------



## Wand3r3r (Sep 17, 2010)

Welcome to TSF!

Have you tried connecting by ip address instead of host name?


----------



## jhardin80 (Jun 2, 2014)

Wand3r3r said:


> Welcome to TSF!
> 
> Have you tried connecting by ip address instead of host name?


Yes and it's the same thing because when I RDP to it it's already in the User VLAN and RDP needs to authenticate with machine so it kills the connection and re-authenticates with machine and then if I try to RDP again it will let me in.


----------



## Wand3r3r (Sep 17, 2010)

If the machine gets a ip address in what ever vlan it is in the following should happen;

1. rdp can't kill an existing network connection so there is another reason for the machine going back to a default vlan. Unless the user account you are using is what is causing the move to the default vlan. Perhaps adding this rdp account to all user vlans will address this.
2. if rdp can't get to the ip address assigned in the users vlan that would indicate there is not a route from the vlan rdp is on to the user vlan.
3. make sure the tunneling protocols are allowed on all switches/vlan


----------



## jhardin80 (Jun 2, 2014)

Wand3r3r said:


> If the machine gets a ip address in what ever vlan it is in the following should happen;
> 
> 1. rdp can't kill an existing network connection so there is another reason for the machine going back to a default vlan. Unless the user account you are using is what is causing the move to the default vlan. Perhaps adding this rdp account to all user vlans will address this.
> 2. if rdp can't get to the ip address assigned in the users vlan that would indicate there is not a route from the vlan rdp is on to the user vlan.
> 3. make sure the tunneling protocols are allowed on all switches/vlan


This is how I have it set up now, machine boots up and get authenticated via cert, the port gets moved to VLAN 30 (i have picked a regular vlan for this so there are no restrictions) then a user logs in and then the port gets moved to VLAN 36 (exactly the same as VLAN 30 just different VLAN to test with but still an open VLAN) all this works great.

If that user is logged in and the port is in VLAN 36 and that user then tries to RDP to that computer with the same credentials it won't let it connect becasue RDP ONLY uses machine authentication which in turn it re-auths the machine and moves the port back to VLAN 30 at which point you can RDP to it again. 

The way I see it, I would either need to use ONLY machine authentication or I would have to make sure that users computer goes into the same VLAN as it would have with user authentication..


----------

