Security

Hi community, 

 

 

We have been reviewing our options with regards to the Windows X 802.1X supplicant configuration and there is one thing that I can't seem to be able to get confirmation of in any Microsoft documentation or forums. 

 

Currently our clients are configured to use EAP-TLS with an authentication method of 'Computer Authentication'. As I understand, by having this when the machine boots and gets to the 'ctrl-alt-del' prompt the machine will complete a computer authentication using the computer certificate it obtained when it was joined to the domain, all well and good. We have a desire to include 'User Authentication' as well to better manage access to the network with regards to certificate revokation, etc when  a user leaves the organisation. We don't typically publish revoked machine certificates in our CRL, they tend to be user certificates. We would also like to see the user show up when connected to the Aruba infrastructure as their domain user account, not the computer. As we have a requirement for both 'Computer' and 'User' authentication we have been exploring changing the Authentication method to 'Computer or User authentication'. As I understand, for this to work the user must have logged on to the machine previously, from a wired connection, to download his user certificate into his local certificate store. Once he has done this he can disconnect from the wired network, reboot, the machine would perform a computer authentication and the user would be at the 'ctrl-alt-del' prompt. Now this next part is a little unclear to me. When the user presses 'ctrl-alt-del' the user now has to enter their username and password. We don't have this incorporated into the existing Clearpass service service (MS-CHAP), but the user can enter their credentials and be authenticated against the domain as they have the access using their computer certificate? Assuming this is correct, at what point does the device go from using the computer certificate to using the user certificate? Is it when the user presses 'ctrl-alt-del'? I can't find any literature that confirms that this is or is not the case? Can anybody advise? I've read posts that a similar to this query but not exactly like the query I have. If anybody has any references to MS material related to this that would be appreciated. I've found guides for configuring the options but not a lot about the differences and order of events for each of the options (user, computer, user or computher authentication).

 

For EAP-TLS to work with user and computer authentication, both user and computer certificates must be present on the computer.  That would mean the user would have had to have logged into the physical computer wired at least one time for this to actually work, because the user certificate is stored in the user profile.  If it does not exist, the computer will switch from computer to user auth when the user attempts to login, it will have no connectivity, because there will be no corresponding user certificate.

 

Most secure organizations use EAP-TLS with computer authentication only, but the name of the computer would be some derivative of the user name to know who's device is connected.  There is no way to have computer EAP-TLS and user PEAP on Windows computers, and having user and computer with EAP-TLS is very resource-intensive.  EAP-TLS with user and computer is not really practical with multiple users.  Having EAP-TLS with computer only emulates exactly what happens when you are on the wired network.  If a user's account is expired or disabled with computer-ony authentication, the user will not be able to login, period.

Thanks Colin, that's kind of how I understood it to work, with regards to the availability of the certificates.

 

To confirm, when the user presses 'ctrl-alt-del' this is when the authentication changes from 'Computer' to 'User', and if present this is when the 'User' certificate is forwarded?

 

I take your point regarding the overhead with both computer and user certificates. With regards to Clearpass, if there was an attribute in AD that tied the device to a user, can you use Clearpass to return this as the user name as opposed to the hostname of the device?

 

My only concern with regards to our current setup with just computer authentication is whilst a user's account could be disabled if they left the organisation, the user could potentially still access the network using cached credentials and the computer certificate if the computer certificate is not revoked. Granted they would not be able to access a resource restricted by AD, but they could still potentially get IP connectivity. I guess it is then up to us to consider revoking the computer certificate to address this, or enhance the Clearpass logic?

No, the device does not change to user input until after the user's credentials have been validated and system scripts have run.

Thanks Tim. Do you have any reference material for this that goes into detail? I'd just really like to understand the process to allow me to articulate this to others correctly.

 

 

No, it's not well documented anywhere (at least that when I looked).




TIM CAPPALLI

Aruba Security

If computer + user is required and the devices are shared (multiple users may use them), PEAPv0/EAP-MSCHAPv2 with a GPO-controlled supplicant is recommended.

If they're single user machines, EAP-TLS can be used but the initial logon must be done on a wired network to allow the user certificate to download.

Thanks Tim, appreciate the input.