Security

Reply
jk
New Contributor
Posts: 1
Registered: ‎11-11-2013

User auth with eap-tls and Windows sso

As KB2717916 points out,  Windows user  wireless single signon can  never work  with certificate-based protocols because when network authentication is attempted before user logon   there is no user context from which to retrieve a certificate. Machine authentication does work, but it's not ideal to then relax security and only do user network auth after logon. It should be possible to switch to ms-chap after machine auth   and forward credentials to the radius server for user auth, but dashed if I can see how. Anyone any ideas ? Client is Windows 7, login is to a Windows domain. 

Guru Elite
Posts: 21,272
Registered: ‎03-29-2007

Re: User auth with eap-tls and Windows sso

It is not possible with the built in Windows supplicant.  You can only define a single EAP type (TLS or PEAP) for a single WLAN connection.  

 

Most users who do EAP-TLS, for seamless connectivity just do machine-only TLS, where they create the profile and under IEEE and Advanced allow the computer to authenticate at the ctrl-alt-delete as well as when the user is logged in.  At that point, the computer security profile matches that of a wired computer, where only an authorized user can login to an already trusted device.

 

Again, using the method above, the user does not login to the WLAN, but the trusted domain computer connects using a method that cannot be duplicated or re-used (EAP-TLS), and then the user is allowed to login to that trusted device that is connecting securely.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: