802.11 Client Device Interoperability

Reply
Occasional Contributor I
Posts: 6
Registered: ‎09-26-2011

Digital Cert + User Name Authentication - Windows 7

Hi,

We are enforcing machine authentication using EAP-TLS and digital certs and placing the user in default-machine role (partial access - this is currently working).

After this, it is expected that the client log on and use their user name and password, placing them into the dot1x default role (full access - currently not working).

All other devices which fail machine authentication, but pass user authentication are placed into a user-default role (guest access - this is working with MSCHAP).

This is currently not working and I suspect it is a client misconfiguration.

The client windows 7 wireless network properties are:
WPA2
Microsoft: Smart Card or other Cert

Advanced settings:
User or computer authentication
Enable Single Sign on for the network is set to Perform immediately before user logon.

Any ideas?
Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: Digital Cert + User Name Authentication - Windows 7

If you are NOT distributing user certificates, along with machine certificates, this will not work. When the machine is at the ctrl alt delete screen it will use the machine certificate. After the user logs into the machine, it will attempt to use the user certificate.

What I would advise is that in the 802.1x properties, you ONLY use computer authentication, and uncheck Enforce Machine authentication.

The way you have it setup, it will only work if you use group policy to distribute user certificates, as well. This will create a chicken and egg issue, where the user has to login, and connect to the wireless, but does not have an existing certificate to connect to the wireless the first time he/she logs into the laptop. It is much easier to only use machine certificates. Your two-factor authentication becomes that the user will NOT connect to the wireless unless your device has a machine certificate and your user has a valid username and password to get into the machine, which is very secure.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎09-26-2011

Re: Digital Cert + User Name Authentication - Windows 7


If you are NOT distributing user certificates, along with machine certificates, this will not work. When the machine is at the ctrl alt delete screen it will use the machine certificate. After the user logs into the machine, it will attempt to use the user certificate.

What I would advise is that in the 802.1x properties, you ONLY use computer authentication, and uncheck Enforce Machine authentication.

The way you have it setup, it will only work if you use group policy to distribute user certificates, as well. This will create a chicken and egg issue, where the user has to login, and connect to the wireless, but does not have an existing certificate to connect to the wireless the first time he/she logs into the laptop. It is much easier to only use machine certificates. Your two-factor authentication becomes that the user will NOT connect to the wireless unless your device has a machine certificate and your user has a valid username and password to get into the machine, which is very secure.




Thank you for your response. It is very helpful.

When you say "your two factor authentication becomes that the user will NOT connect to the wireless network unless your device has a machine certificate and your user has a valid username and password to get into the machine" Does this mean that you configure the client to use EAP-TLS certificate authentication via computer authentication only after logon? Meaning that the the user must login first, THEN the machine certificate is provided to the RADIUS server?

Otherwise I imagine if you performed machine authentication first, the laptop could be connected to the network without username credentials correct?
Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: Digital Cert + User Name Authentication - Windows 7


Thank you for your response. It is very helpful.

When you say "your two factor authentication becomes that the user will NOT connect to the wireless network unless your device has a machine certificate and your user has a valid username and password to get into the machine" Does this mean that you configure the client to use EAP-TLS certificate authentication via computer authentication only after logon? Meaning that the the user must login first, THEN the machine certificate is provided to the RADIUS server?

Otherwise I imagine if you performed machine authentication first, the laptop could be connected to the network without username credentials correct?




Let me be clear. The certificate is the only thing that is needed to connect to the network wirelessly, both before and after the user logs in. The user still will need a valid login to get into the computer and subsequently, to access network resources.

The certificate is provided to the radius server at the ctrl-alt-delete screen and after the user logs in, as well.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎09-26-2011

Re: Digital Cert + User Name Authentication - Windows 7

We have NPS setup to authenticate machines and users. Am I correct is thinking that when only machine certificate is used for authentication it is not possible to configure further NPS policy based on AD group, as the login is not username based?

In other words, the username is never used during authentication, so the RADIUS server cannot make a decision based on user group. Is this correct?

Further to this, in AWMS, when users are authenticated by certificate, the actual AD username does not appear, making it harder to identify users. Is there anyway to somehow show AD usernames in AWMS when only machine digital certificate is used for authentication?
Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: Digital Cert + User Name Authentication - Windows 7

When only the certificate is used for authentication, only the common name on the cert is displayed as the user. If the email address or common name on the cert is in a Windows Group, you can do derivation, but since it is a machine certificate, machines are not usually placed in groups, besides maybe domain machines, so you cannot do anything with it.

The username of the user is not used in authentication when configured like you have it. There is no way to display the user logged into the machine when using machine certs.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎09-26-2011

Re: Digital Cert + User Name Authentication - Windows 7

Thanks again.

So, if I used user certs as well I would experience the same limitations you described as machine certs ie. the user would only be identified by the user certificate and not a recognizable AD credential?

On a side note, does anyone know of a command to clear the controller machine authenticated cache?
Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: Digital Cert + User Name Authentication - Windows 7

The machine appears in the local user database, as the machine's mac address. if you go to Configuration> Security> Authentication> internal db, you will see it, and can delete it. Alternatively, you can go to the commandline and type "show local-userdb"; and then local-userdb del username to delete the entry.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: