Enterprise Lockdown

Reply
Occasional Contributor II
Posts: 12
Registered: ‎08-10-2007

User certificate auto enrollment over wireless

We have user cert auto enrollment setup and working when on the wired connection.
We also have machine cert auto enrollment setup and working.

As long as the certs are in place prior to going wireless everthing works like a champ.

Where we are having a problem is when a laptop that was working for one user gets moved to another user.
In order for it to work we have to jack the device into a network jack the first time.
Then the logon proceeds the user profile is created and the cert installs.

As a test we have modified the machine role to
Machine Authentication: Default Machine Role - authenticated
Machine Authentication: Default User Role - authenticated


802.1x
Initial role – authenticated
802.1X Authentication Default Role – authenticated

While this is not the way we want it to work, we did this as a “any any” type of troubleshooting to try and simulate a wired connection.

It would not logon or install the cert until we jacked it into a wire..

Thoughts?
Can this be done?
Guru Elite
Posts: 20,582
Registered: ‎03-29-2007

Chicken and Egg

The problem with this setup is that a user cannot enroll unless he is logged into the computer. He cannot connect wirelessly unless he has a certificate, so he cannot login. So when using EAP-TLS a user must have logged in wired first.

To make this setup work for everyone, you would have to make it so that the computer ONLY authenticates in the computer and user context. Of course, you won't be able to tell who is logged into the computer wirelessly as it will always have the computer as the username. Logging in, if you never logged in before wirelessly, will work, however.

Details on how to do this via group policy are here: http://technet.microsoft.com/en-us/library/cc778073%28WS.10%29.aspx

Look for "Computer only. When this option is selected, authentication is always performed using the computer credentials. User authentication is never performed." on the page.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎08-10-2007

Thanks

That is what I thought...
Bummer
Search Airheads
Showing results for 
Search instead for 
Did you mean: