Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎07-25-2012

802.1x EAP-TLS and Remote Desktop User Authentication

Hi All,

 

I'm not too sure where to stick this peice of help that I need, so I selected this forum. I'm currently having issues where users who are attempting to remote desktop back to their laptops that the authentication is stuck at machine level authentication and does not flip over to user level authentication. Here is my setup.

 

- Aruba controller is talking to a NPS Radius Server

- Laptops are supplied with computer certificates

- Users are supplied with user certificates

- Laptops are using Computer and User EAP-TLS authentication on wireless connections in Windows 7

- Computer certificates are ACL locked down so that they can only talk to Domain Controllers on our network, and remote desktop access back to the local computer itself from the outside.

- User certificates uses the default authenticated user role

 

The machine and user certificates are working perfectly in a local console login environment, meaning that the machine is authenticated when waiting for a user to login (at the alt+ctrl+del screen) and that once a user logs in, user level authenication takes place and then that user has full access to all of a network.

 

The problem comes in that when a user attempts to remote desktop to a wireless computer, that the computer itself is stuck in machine authentication and never uses user authentication to authenticate the logged in use. This means that the user has no access to any network resources except connectivity to the Domain Controllers. Has anyone encountered this problem? Anyone know of any work arounds?

 

Aruba Employee
Posts: 26
Registered: ‎11-16-2011

Re: 802.1x EAP-TLS and Remote Desktop User Authentication

You probably just need to be sure the role that machine is in allows RDP.  Try doing a

 

show rights <rolename>

 

It will list the firewall policies and the rules that make up the role.  Look through them and see if you are allowing what is necessary for RDP (TCP 3389 I think?).

 

E.g.. Output of show rights for the authenticated role.

 

#show rights authenticated

Derived Role = 'authenticated'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 54/0
 Max Sessions = 65535


access-list List
----------------
Position  Name         Location
--------  ----         --------
1         allowall     
2         v6-allowall  

allowall
--------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           4
2         any     any          any      permit                           Low                                                           6
v6-allowall
-----------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          any      permit                           Low                                                           6

Expired Policies (due to time constraints) = 0


 

Occasional Contributor I
Posts: 9
Registered: ‎07-25-2012

Re: 802.1x EAP-TLS and Remote Desktop User Authentication

I think this is more of a Microsoft issue rather than an Aruba issue since I'm not seeing user authorizations on the NPS when users are connected through remote desktop. I'm just wondering if anyone else has encountered this problem and how others were able to work around this issue.

Occasional Contributor I
Posts: 8
Registered: ‎07-25-2012

Re: 802.1x EAP-TLS and Remote Desktop User Authentication

Did you find any solution? I have the same problem, remote desktop is no triggering any user authentication, so the role is stuck in machine authentication.

Occasional Contributor I
Posts: 9
Registered: ‎07-25-2012

Re: 802.1x EAP-TLS and Remote Desktop User Authentication

After some digging through the internet, I found that the problem is that Microsoft does not allow 802.1x user authentication for remote desktop sessions. We also ran into difficulty on-boarding new windows tablets onto the wireless network since they do not have ethernet connections. To simply manage these two issues, we switched to using computer authentication only on our network. It lessen the complexity to having to troubleshoot wireless connectivity issues and making sure that the two certificates worked together.

Occasional Contributor I
Posts: 8
Registered: ‎07-25-2012

Re: 802.1x EAP-TLS and Remote Desktop User Authentication

thank you for your answer, I would do the same thing as you did it but we need to control which users from our domain can be wireless connected. what did you do with the smartphones or tablets, since they are not able to be on our domain, and machine auth would not work on them. Certificates?

Search Airheads
Showing results for 
Search instead for 
Did you mean: