Security

Hello, I'm trying to setup EAP-TLS to have a single certificate on all our mobile/devices laptops with machine or username AD authentication (based on whether it's an AD computer or a mobile device (ios) not in AD).

 

I have EAP-TLS working and can connect when I disable authentication in my EAP-TLS Authentication Method.  But when I enable authentication in the method it pulls the CN of the certificate to validate against and not the machine name or username/password entered.  My test client is a windows 10 laptop.  Additionally because of this my client logging in Airwave shows the CN name as well and not the actual AD computer name or username.

 

Is this possible or do I need separate certificates for each device?

You would do a unique certificate per device. Using the same certificate on every device really defeats the point.

We were planning on using EAP-TLS to prevent unauthorized devices from even connecting but still authenticate based on AD (either computer account or user account). Sounds like we need to abondon that plan.

As an alternative I can use clearpass onboard certificate authority to create the certificates for each device but we don't have enough onboard/enterprise licenses at this point. Does each certificate in the CA count against a license?

Thanks!

Get Outlook for iOS

Each certificate in Onboard consumes a license.

 

If you have ADCS, you can use Group Policy to issue machine certificates to your Windows AD-joined machines and then use Onboard for your mobile devices.