Security

Reply
New Contributor
Posts: 2
Registered: ‎07-18-2012

Two-stage authentication

Hi folks.

 

I´d like to implement a two-stage authentication (device and user).

My ideia is to authenticate devices based on digital certificates and authenticate users based on username/password.

Its possible to do this in a real world?

Anyone have experience with this kind of implementation or could indicate some documentation/guidelines to do this?

 

Regards.

Ricardo.

Aruba Employee
Posts: 26
Registered: ‎11-16-2011

Re: Two-stage authentication

Basically, you want to terminate EAP-TLS (for certificates) and PEAP for username password. The controller cannot terminate both. You will need a RADIUS server with the ability to terminate both of these on a single SSID. Right now the best option for that is ClearPass Policy Manager.  This is a RADIUS server that terminate both and you can derive different roles (levels of access to your network) based on the AUTH.  E.g.. If a machine is authenticated via EAP-TLS but the user is not yet authenticated via PEAP then grant partial access to your network.  If both are methods are AUTHed then grant full access.  These are just examples - the roles that are derived based on level of AUTH are entirely customizable.  I would recommend working with your Aruba account team to learn more about this.

Moderator
Posts: 893
Registered: ‎07-29-2010

Re: Two-stage authentication

Hello

 

I'm not sure about other clients but, as far as I know, you can't do that with WZC. You can either use PEAP or EAP-TLS for both machine and user autentication, but you can't have EAP-TLS for machine auth and PEAP for user Auth.

 

If I'm wrong, please tell me how it would be done 'cause it's a nice thing to have.

 

Regards

 

Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Guru Elite
Posts: 20,574
Registered: ‎03-29-2007

Re: Two-stage authentication

ClearPass can tell if a "machine" authenticated before a user on the same device authenticated.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 26
Registered: ‎11-16-2011

Re: Two-stage authentication

I would have to look into WZC.  But perhaps TLS + PEAP is overkill.  I just implemented at another customer machine authentication by checking for the existence of the machine account in AD.  If the account exists, the machine is authed and derives a certain level of access to the network.  Later when the user auth via PEAP and new role can be derived based on the fact that the machine and user both successfully authed.

Search Airheads
Showing results for 
Search instead for 
Did you mean: