Security

Reply
Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Certificates instead of PEAP in a Windows Environment

I have had good success using PEAP in Windows environments. We do machine auth at boot or logoff, and do user auth when the user logs on and upgrade their role. Very useful to keep a machine online when no user is logged in, and also supports different users on the same machine. And very easy to deploy using a generic windows xml - since the user credentials don't need to be stored it doesn't need to be customised for each user.

 

I now have a customer asking if a similar arrangement is somehow possible using certificates (EAP-TLS). Can we somehow do a machine level auth with certs, and then still do user auth with certs? 


--
ACMA ACMP
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Certificates instead of PEAP in a Windows Environment

Yes you can. And the certificate deployment can be automated using Group Policy with ADCS. 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Re: Certificates instead of PEAP in a Windows Environment

So how does this work, do you need a separate certificate for machine auth and user auth?

How do you handle multiple users using one laptop, wouldn't that require a different wireless profile for each user since it points to a different cert?


--
ACMA ACMP
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Certificates instead of PEAP in a Windows Environment

No the certificates can be issued to users and computers automatically and just like username/password authentication, the group policy network profile switches between user and computer authentication.

The certificate is simply a password. The Windows username is still used.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Re: Certificates instead of PEAP in a Windows Environment

[ Edited ]

So is this assuming an OnBoard environment? This customer has a MobileIron environment so they are not using Clearpass for OnBoard only Policy Manager/Guest. 

 

I am not convinced certificates offer any additional security in this situation, but if can be done as seamlessly as PEAP, it may be worthwhile. But still getting my head around how this would work..

 


--
ACMA ACMP
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Certificates instead of PEAP in a Windows Environment

[ Edited ]

No, onboard is not necessary. You can use Active Directory’s certificate services.

In a completely Windows AD environment where the 802.1X configuration is pushed out via group policy and the end user can’t change it, you won’t gain much with certificates.

Certificates are big with BYOD where supplicants often aren’t configured correctly and can expose user passwords in a MiTM attack and with BYOD, best practice is to give the device its own credential.

 

 

http://technet.microsoft.com/en-us/library/cc731564.aspx


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Re: Certificates instead of PEAP in a Windows Environment

Thanks, that was my thinking as well.

 

One reason I hear for certificates is to not store AD credentials locally. But with windows when PEAP uses the logon credentials to authenticate, well they are not stored or distributed in the wireless profile, they're given at logon, so I would think the password is only locally cached in the same manner that Windows does regardless. 

 

For BYOD it makes perfect sense to have certs for a few reasons.

 

I think there's some debate over whether PEAP is inherently more secure than EAP-TLS anyway.


--
ACMA ACMP
Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Certificates instead of PEAP in a Windows Environment

BGC IT, 

 

For your reference, we see most environments that use EAP-TLS for security, we see them using machine-only certificates with EAP-TLS, so that only devices with enterprise-issued certificates can get onto the network.  The user has to login to windows successfully on top of that with their AD username and password, so it results in a two-factor authentication.  The user credentials are never used to access the wireless; only the machine's distributed certificate.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Re: Certificates instead of PEAP in a Windows Environment

Hi CJ, 

Does this scenario prevent you changing role when the user logs in?

 


--
ACMA ACMP
Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Certificates instead of PEAP in a Windows Environment

BGC IT,

 

The user would not be involved in the wireless authentication; only the machine.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: