03-02-2017 11:44 AM
I have a new requirement which is to be able to have a computer join the domain wirelessly. We are currently using EAP-TLS for the authentication method on our domain computer, but I've been preparing to move to PEAP-MSCHAPv2 (user and machine auth) as it fixes issues with first time users on a multi user device..
The computer to join is fresh, no domain or clearpass certificates on the device yet.
What would a recommended method be to get these to connect to either an EAP-TLS SSID(or MSCHAPv2 or another method) so that they can join the domain?
03-02-2017 12:39 PM
AFAIK, there is no way to do that. A computer would likely need to machine authenticate to do "domain stuff" on the network (the reboot, get past ctrl-alt-delete), and all of those would require a machine certificate that is not issued before a domain join.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
03-05-2017 04:02 AM
I read two topics in your question: 1) how to allow domain computers to access the domain controllers before the login, so that users that never logged in before on the computer can be validated and authenticated to the domain. 2) how to join the computer to the domain if there is no connection (classical chicken-egg problem).
In order to join a client to the domain, IP connectivity between the client and the domaincontroller(s) is required. There are many ways to achieve that. What most companies do (in my experience) is connect the clients either to wired 'staging' ports to join the system to the domain; which can be done from the unauthenticated VLAN as well which can also be used to PXE image the system. You can even create an automatic whitelist that as soon as the client does a domain authentication it is automatically added and use that whitelist to place the clients in a PXE staging VLAN that allows both the imaging and the domain join.
As you are explicitly looking for a wireless method, you basically have the choice of three: open, WPA2-PSK, WPA2-Enterprise; and allow access to the domain controllers from those networks. As you may have noticed, connecting to a WPA2-Enterprise network from a non-domain system can be pretty challenging; so I would avoid that route myself, but it is possible as long as it provides IP connectivity to the domain controllers to do the domain join.
For the other item, you triggered me that you consider moving from TLS to MS-CHAPv2. MSCHAPv2 has been broken (since 1999 already) and should not be used unless you have full control over the endpoints to prevent the client from connecting to a rogue authentication server. As you are speaking about domain computers, this full control might be the case if you deploy everything right. Just want to make sure the risks of MS-CHAPv2 are clear to you. Check https://www.youtube.com/watch?v=50fO3j4NgyQ to see what happens if you not have control or properly configure.
The way to solve the issue of pre-login access is to deploy computer certificates. And if you want to switch to user authentication as well, you should have client certificates as well. This all can be done with Microsoft Certificate Services (MSCS) and group policies.
The flow would be that before the user logs in, the computer authenticates with its computer certificate and you can allow the client access to the domain controller and other services that need to be present before login (DNS, update services, etc.); then you either use computer authentication only or if you need user authentication you can switch to the user certificate.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
03-05-2017 09:14 AM
03-06-2017 06:19 AM - edited 03-06-2017 06:26 AM
First of all, thank you for your youtube videos, I watched most of them already while learning how to get my clearpass setup
I think I failed to properly convey my problem. The question is: How do I/is it possible to join a computer to the domain over 802.1x wireless.
We currently either plug the units in to a port assigned to a VLAN where they can enroll in the domain, or over our old wireless that uses PSK.
I do have full control over the endpoints here, but TLS would be preferable as the more secure method as long as it meets the same requirements.
I have the pre-login access all figured out for EAP-PEAP-MSCHAPv2, with roles for machine only auth, user only auth, and machine+user auth. I was thinking I could allow access to the domain with user only auth roll (manually entered credentials, and check for specific memberships), so that the computer may be joined to the domain.
If that is possible with EAP-TLS as well, great. I've been having difficulty doing machine only auth using TLS. I'm testing on a broken XP laptop that keeps reseting the wireless properties (once in a while it sticks), so that could be a problem.
Are you saying that EAP-PEAP-MSCHAPv2 is the only method that works for user and machine auth? Or any auth that uses outer layer peapv0? I'm getting a better understanding of the auth methods but still in a bit of confusion.
03-06-2017 07:02 AM
My recommendation would be to create a limited access role on your open/guest network that uses AD authentication and does a short MAC cache. You can use a policy that allows only your IT group to log in to this state.
For your original question, if you're supporting multiple users on devices (shared devices) and still require both computer and user identity, your only option is PEAPv0/EAP-MSCHAPv2.
03-06-2017 07:31 AM
How would your proposed method work?
Our open/guest network is set to our DMZ vlan, and I already have AD auth with mac caching on that guest network for our employees who have been authorized to connect with personal devices.
I was just able to test using only MSCHAPv2. I changed the connection properties on the client to do user only auth, using manual credentials instead of cached and not verifying the server certificate. I was correctly assigned the user only auth role where I was able to join the domain with proper credentials.
This seems to be satisfactory, however feels less secure as I'm not verifying the sever cert. I'll need to ensure the proper restrictions are put in place for this role, as I think the only use for this role will be for joining the domain.
I feel like there is something I could do to make this more secure. Thoughts?
03-06-2017 07:46 AM
Use a server-initiated login that disconnects the user. On re-authentication, drop them into a limited internal access role.
You should never use PEAP or EAP-TTLS without verifying the server certificate CN/SAN and issuing CA.
03-06-2017 07:57 AM
My Guest network (captive portal) is currently on controller-initiated login, are you suggesting to change that to server-initated, or having a secondary page that uses server-initiated? I believe with server-initiated I'll need to setup a webauth service, correct?
I agree, turning off server certificate validation isn't good.
03-06-2017 08:04 AM