Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP TLS Radius

This thread has been viewed 6 times

  • 1.  EAP TLS Radius

    Posted Dec 24, 2012 08:38 AM

    HI,

     

    I am configuring 802.1x authentication. I have 2003 Server as AD and CA both. 

    Client should get Certificate automatically ( that can be done throgh GPO)

    I want to do AD auth as well as certificate auth.  i.e. if a client is having Certificate and then AD username and Password are inputted then authentication should happen....can this be done ?

     

    As per my understanding EAP-tls will not ask username/password ..It will take username/password from current login session in machine and accordingly push (manually install) certificate...is that correct???



  • 2.  RE: EAP TLS Radius

    EMPLOYEE
    Posted Dec 24, 2012 09:11 AM

    So, the certificate in EAP-TLS will allow the DEVICE to connect wirelessly via a certificate that resides on the machine.  This can be a machine certificate or a user certificate.  The user STILL has to input his/her username and password to get into the machine.



  • 3.  RE: EAP TLS Radius

    Posted Dec 24, 2012 09:43 AM
    that means while connecting to ssid it will not ask for username password right ?


  • 4.  RE: EAP TLS Radius

    EMPLOYEE
    Posted Dec 24, 2012 09:49 AM

    It will not.  It will use the certificate on the computer. Just like any Windows computer, however the user MUST have a valid username and password to get into the computer to do anything with it.  The certificate is only for wireless connectivity.

     

     



  • 5.  RE: EAP TLS Radius

    Posted Jul 14, 2017 06:34 PM

    Hi guys,

     

    If with EAP-TLS the process doesn't ask for username and password, I understand this documentation from Aruba is not correct:

    eap-tls.PNG

     

    This excerpt is from the ClearPass Essentials course.

     

    Regards,

    Julián



  • 6.  RE: EAP TLS Radius

    EMPLOYEE
    Posted Jul 14, 2017 06:37 PM
    Like I mentioned on some of your other threads, please report this stuff to your instructor...


  • 7.  RE: EAP TLS Radius

    Posted Jul 14, 2017 06:54 PM

    I can't because the course was done few weeks ago and now I am reviewing the materials...

    Please any other guy could clear my doubt?

     

    Regards,

    Julián



  • 8.  RE: EAP TLS Radius

    EMPLOYEE
    Posted Jul 14, 2017 09:05 PM


    There are other EAP types besides TLS that check the username and password, and I think the statement is more in general about those types instead of EAP-TLS in specific....


  • 9.  RE: EAP TLS Radius

    Posted Jul 17, 2017 09:56 AM

    It should be, otherwise it makes no sense. That statement should be more clear. Thanks for clarifying.

     

    Regards,

    Julián



  • 10.  RE: EAP TLS Radius

    Posted Jul 26, 2017 01:32 PM

    Hi,

     

    One more question about this. Then I understand the client is somewhat authenticated since he has to enter his password to get into the Windows machine and EAP-TLS would use the user certificate to authenticate. But how is the user authenticated if he is using a mobile phone? I understand mobile phones don't have user certificate stores and anyone who get the mobile will be authenticated, but this way it will be the machine which is authenticated and not the user. Please correct me if I am wrong.

     

    Regards,

    Julián 



  • 11.  RE: EAP TLS Radius

    EMPLOYEE
    Posted Jul 26, 2017 01:35 PM

    Yes, mobile devices generally use a single certificate. Only Windows devices use the concept of machine + user.



  • 12.  RE: EAP TLS Radius

    Posted Dec 24, 2012 09:49 AM

    indeed, it wont ask for that, it might ask for which client certificate if you have multiple.