Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1x EAP-TLS and Remote Desktop User Authentication

This thread has been viewed 22 times

  • 1.  802.1x EAP-TLS and Remote Desktop User Authentication

    Posted Aug 14, 2012 12:17 PM

    Hi All,

     

    I'm not too sure where to stick this peice of help that I need, so I selected this forum. I'm currently having issues where users who are attempting to remote desktop back to their laptops that the authentication is stuck at machine level authentication and does not flip over to user level authentication. Here is my setup.

     

    - Aruba controller is talking to a NPS Radius Server

    - Laptops are supplied with computer certificates

    - Users are supplied with user certificates

    - Laptops are using Computer and User EAP-TLS authentication on wireless connections in Windows 7

    - Computer certificates are ACL locked down so that they can only talk to Domain Controllers on our network, and remote desktop access back to the local computer itself from the outside.

    - User certificates uses the default authenticated user role

     

    The machine and user certificates are working perfectly in a local console login environment, meaning that the machine is authenticated when waiting for a user to login (at the alt+ctrl+del screen) and that once a user logs in, user level authenication takes place and then that user has full access to all of a network.

     

    The problem comes in that when a user attempts to remote desktop to a wireless computer, that the computer itself is stuck in machine authentication and never uses user authentication to authenticate the logged in use. This means that the user has no access to any network resources except connectivity to the Domain Controllers. Has anyone encountered this problem? Anyone know of any work arounds?

     



  • 2.  RE: 802.1x EAP-TLS and Remote Desktop User Authentication

    Posted Aug 14, 2012 11:58 PM

    You probably just need to be sure the role that machine is in allows RDP.  Try doing a

     

    show rights <rolename>

     

    It will list the firewall policies and the rules that make up the role.  Look through them and see if you are allowing what is necessary for RDP (TCP 3389 I think?).

     

    E.g.. Output of show rights for the authenticated role.

     

    #show rights authenticated

    Derived Role = 'authenticated'
     Up BW:No Limit   Down BW:No Limit  
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Periodic reauthentication: Disabled
     ACL Number = 54/0
     Max Sessions = 65535


    access-list List
    ----------------
    Position  Name         Location
    --------  ----         --------
    1         allowall     
    2         v6-allowall  

    allowall
    --------
    Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         any     any          any      permit                           Low                                                           4
    2         any     any          any      permit                           Low                                                           6
    v6-allowall
    -----------
    Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         any     any          any      permit                           Low                                                           6

    Expired Policies (due to time constraints) = 0


     



  • 3.  RE: 802.1x EAP-TLS and Remote Desktop User Authentication

    Posted Aug 15, 2012 10:35 AM

    I think this is more of a Microsoft issue rather than an Aruba issue since I'm not seeing user authorizations on the NPS when users are connected through remote desktop. I'm just wondering if anyone else has encountered this problem and how others were able to work around this issue.



  • 4.  RE: 802.1x EAP-TLS and Remote Desktop User Authentication

    Posted Jun 11, 2013 10:05 AM

    Did you find any solution? I have the same problem, remote desktop is no triggering any user authentication, so the role is stuck in machine authentication.



  • 5.  RE: 802.1x EAP-TLS and Remote Desktop User Authentication

    Posted Jun 11, 2013 10:25 AM

    After some digging through the internet, I found that the problem is that Microsoft does not allow 802.1x user authentication for remote desktop sessions. We also ran into difficulty on-boarding new windows tablets onto the wireless network since they do not have ethernet connections. To simply manage these two issues, we switched to using computer authentication only on our network. It lessen the complexity to having to troubleshoot wireless connectivity issues and making sure that the two certificates worked together.



  • 6.  RE: 802.1x EAP-TLS and Remote Desktop User Authentication

    Posted Jun 11, 2013 10:33 AM

    thank you for your answer, I would do the same thing as you did it but we need to control which users from our domain can be wireless connected. what did you do with the smartphones or tablets, since they are not able to be on our domain, and machine auth would not work on them. Certificates?