Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

User and machine EAP-TLS auth?

This thread has been viewed 8 times

  • 1.  User and machine EAP-TLS auth?

    Posted Mar 18, 2015 07:15 AM

    I suspect this is a windows issue rather than Clearpass, but I'm getting really frustrated with it so hope someone can help.

     

    The machines have a user cert and a machine cert installed. I'd like to do an auth with the machine cert and the user cert. This would get round the problem with users having to log out (or even reboot) whenever the [machine authenticated] role times out. I've upped the machine auth cache to the max it can be but this is a security risk and still means that occasionally, users will need to log out or reboot to do the machine auth.

     

    Any ideas or ways I can authenticate both machine and user in one hit?

     

    Cheers



  • 2.  RE: User and machine EAP-TLS auth?

    EMPLOYEE
    Posted Mar 18, 2015 07:54 AM
    You're going to hit the same issue. The type of credential doesn't matter with the cache. There's a tutorial on how to work around this with the endpoints repository.


    Thanks,
    Tim


  • 3.  RE: User and machine EAP-TLS auth?

    Posted Mar 18, 2015 07:56 AM

    Thats really spooky, I was just reading a tweet about the new sensors from you when my email popped up saying you had replied to this.

     

    Anyway, can you point me towards the tutorial?

     

     



  • 4.  RE: User and machine EAP-TLS auth?

    EMPLOYEE


  • 5.  RE: User and machine EAP-TLS auth?

    Posted Mar 18, 2015 08:17 AM

    Hmmm....that just seems to be a way of caching the machine auth, which happens anyway. It still leaves us open to a security issue in that a machine could still auth after its been removed from AD.

     

    What would be really nice is if windows could do a machine auth whenever it does a user auth.



  • 6.  RE: User and machine EAP-TLS auth?
    Best Answer

    EMPLOYEE
    Posted Mar 19, 2015 01:07 AM

    Davey_M,

     

    Why not just deploy a machine-only certificate to the devices so that they are always connected.  When you configure the WLAN, just use machine-only credentials so that the machine only uses the machine certificate to authenticate to the WLAN.  The user will still have to authenticate to windows to get into the machine, run the login script, but the machine will handle the WLAN authentication part, which makes things more stable.  You would then have a machine authorized to be on the WLAN with a certificate that cannot be faked, along with an authorized user logging into a Windows machine with Valid Credentials.  No machine authentication status caching needed....



  • 7.  RE: User and machine EAP-TLS auth?

    Posted Mar 19, 2015 05:56 AM

    That sounds like a good plan. Thanks both of you.