Security

Reply
Contributor II
Posts: 36
Registered: ‎11-18-2014

User and machine EAP-TLS auth?

I suspect this is a windows issue rather than Clearpass, but I'm getting really frustrated with it so hope someone can help.

 

The machines have a user cert and a machine cert installed. I'd like to do an auth with the machine cert and the user cert. This would get round the problem with users having to log out (or even reboot) whenever the [machine authenticated] role times out. I've upped the machine auth cache to the max it can be but this is a security risk and still means that occasionally, users will need to log out or reboot to do the machine auth.

 

Any ideas or ways I can authenticate both machine and user in one hit?

 

Cheers

Guru Elite
Posts: 8,178
Registered: ‎09-08-2010

Re: User and machine EAP-TLS auth?

You're going to hit the same issue. The type of credential doesn't matter with the cache. There's a tutorial on how to work around this with the endpoints repository.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 36
Registered: ‎11-18-2014

Re: User and machine EAP-TLS auth?

Thats really spooky, I was just reading a tweet about the new sensors from you when my email popped up saying you had replied to this.

 

Anyway, can you point me towards the tutorial?

 

 

Guru Elite
Posts: 8,178
Registered: ‎09-08-2010

Re: User and machine EAP-TLS auth?

The twitterverse can sense it.

Here you go:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Machine-AND-User-Authentication-in-Windows-with-Clearpass/m-p/208471

Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 36
Registered: ‎11-18-2014

Re: User and machine EAP-TLS auth?

Hmmm....that just seems to be a way of caching the machine auth, which happens anyway. It still leaves us open to a security issue in that a machine could still auth after its been removed from AD.

 

What would be really nice is if windows could do a machine auth whenever it does a user auth.

Guru Elite
Posts: 20,560
Registered: ‎03-29-2007

Re: User and machine EAP-TLS auth?

Davey_M,

 

Why not just deploy a machine-only certificate to the devices so that they are always connected.  When you configure the WLAN, just use machine-only credentials so that the machine only uses the machine certificate to authenticate to the WLAN.  The user will still have to authenticate to windows to get into the machine, run the login script, but the machine will handle the WLAN authentication part, which makes things more stable.  You would then have a machine authorized to be on the WLAN with a certificate that cannot be faked, along with an authorized user logging into a Windows machine with Valid Credentials.  No machine authentication status caching needed....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 36
Registered: ‎11-18-2014

Re: User and machine EAP-TLS auth?

That sounds like a good plan. Thanks both of you.

Search Airheads
Showing results for 
Search instead for 
Did you mean: