Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Machine TLS and User PEAP

This thread has been viewed 5 times

  • 1.  Machine TLS and User PEAP

    Posted Nov 22, 2017 02:35 PM

    I am looking at using machine certs that are already deployed in an environment, for machine authentication.  Users do not have certs, just computers, and so we were wanting to have users authenticate with their AD U+P credentials.

     

    The machine-auth role is only for basic access on the corporate network.  User credentials should give them their more full user role: e.g. IT Admins get FTP and SSH while Sales doesn't.

     

    When the wireless profile is pushed down from GPO, it is selecting to use the user cert.  Is there a way to do what I am looking for, or a recommendation for how to deploy in this environment?

     

     



  • 2.  RE: Machine TLS and User PEAP

    EMPLOYEE
    Posted Nov 22, 2017 02:37 PM
    No, the Windows supplicant does not allow mixed EAP methods.


  • 3.  RE: Machine TLS and User PEAP

    Posted Nov 22, 2017 02:47 PM

    Then, would the recommendation be to utilize computer certificates and make permissions based on machine OU, or use EAP-PEAP AD credentials.  Or would it be better to convince the IT department to issue user certificates to individuals and go with pure EAP-TLS?



  • 4.  RE: Machine TLS and User PEAP
    Best Answer

    EMPLOYEE
    Posted Nov 23, 2017 09:52 PM
    If you want to grant permission based on the computer's OU, EAP-TLS with a machine credential is all that would be required.