11-11-2013 05:31 PM
As KB2717916 points out, Windows user wireless single signon can never work with certificate-based protocols because when network authentication is attempted before user logon there is no user context from which to retrieve a certificate. Machine authentication does work, but it's not ideal to then relax security and only do user network auth after logon. It should be possible to switch to ms-chap after machine auth and forward credentials to the radius server for user auth, but dashed if I can see how. Anyone any ideas ? Client is Windows 7, login is to a Windows domain.
11-11-2013 07:14 PM
It is not possible with the built in Windows supplicant. You can only define a single EAP type (TLS or PEAP) for a single WLAN connection.
Most users who do EAP-TLS, for seamless connectivity just do machine-only TLS, where they create the profile and under IEEE and Advanced allow the computer to authenticate at the ctrl-alt-delete as well as when the user is logged in. At that point, the computer security profile matches that of a wired computer, where only an authorized user can login to an already trusted device.
Again, using the method above, the user does not login to the WLAN, but the trusted domain computer connects using a method that cannot be duplicated or re-used (EAP-TLS), and then the user is allowed to login to that trusted device that is connecting securely.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base