Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

User auth with eap-tls and Windows sso

This thread has been viewed 1 times

  • 1.  User auth with eap-tls and Windows sso

    Posted Nov 11, 2013 08:31 PM

    As KB2717916 points out,  Windows user  wireless single signon can  never work  with certificate-based protocols because when network authentication is attempted before user logon   there is no user context from which to retrieve a certificate. Machine authentication does work, but it's not ideal to then relax security and only do user network auth after logon. It should be possible to switch to ms-chap after machine auth   and forward credentials to the radius server for user auth, but dashed if I can see how. Anyone any ideas ? Client is Windows 7, login is to a Windows domain. 



  • 2.  RE: User auth with eap-tls and Windows sso

    EMPLOYEE
    Posted Nov 11, 2013 10:14 PM

    It is not possible with the built in Windows supplicant.  You can only define a single EAP type (TLS or PEAP) for a single WLAN connection.  

     

    Most users who do EAP-TLS, for seamless connectivity just do machine-only TLS, where they create the profile and under IEEE and Advanced allow the computer to authenticate at the ctrl-alt-delete as well as when the user is logged in.  At that point, the computer security profile matches that of a wired computer, where only an authorized user can login to an already trusted device.

     

    Again, using the method above, the user does not login to the WLAN, but the trusted domain computer connects using a method that cannot be duplicated or re-used (EAP-TLS), and then the user is allowed to login to that trusted device that is connecting securely.