08-01-2012 05:01 AM
I´d like to implement a two-stage authentication (device and user).
My ideia is to authenticate devices based on digital certificates and authenticate users based on username/password.
Its possible to do this in a real world?
Anyone have experience with this kind of implementation or could indicate some documentation/guidelines to do this?
08-01-2012 06:13 AM
Basically, you want to terminate EAP-TLS (for certificates) and PEAP for username password. The controller cannot terminate both. You will need a RADIUS server with the ability to terminate both of these on a single SSID. Right now the best option for that is ClearPass Policy Manager. This is a RADIUS server that terminate both and you can derive different roles (levels of access to your network) based on the AUTH. E.g.. If a machine is authenticated via EAP-TLS but the user is not yet authenticated via PEAP then grant partial access to your network. If both are methods are AUTHed then grant full access. These are just examples - the roles that are derived based on level of AUTH are entirely customizable. I would recommend working with your Aruba account team to learn more about this.
08-02-2012 05:19 PM
I'm not sure about other clients but, as far as I know, you can't do that with WZC. You can either use PEAP or EAP-TLS for both machine and user autentication, but you can't have EAP-TLS for machine auth and PEAP for user Auth.
If I'm wrong, please tell me how it would be done 'cause it's a nice thing to have.
ACMP, ACCP, ACDX#100
If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
08-02-2012 05:28 PM
ClearPass can tell if a "machine" authenticated before a user on the same device authenticated.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
08-03-2012 12:41 PM
I would have to look into WZC. But perhaps TLS + PEAP is overkill. I just implemented at another customer machine authentication by checking for the existence of the machine account in AD. If the account exists, the machine is authed and derives a certain level of access to the network. Later when the user auth via PEAP and new role can be derived based on the fact that the machine and user both successfully authed.