Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

dot1x authentication for non domain computers

This thread has been viewed 5 times

  • 1.  dot1x authentication for non domain computers

    Posted Mar 25, 2014 05:04 PM

    Hi,

     

    We have setup an SSID with 802.1x EAP which supports "PEAP" and "smart card or other certificate" authentication modes. Users log in using  their domain credentials. What we want to achieve is this:

     

    We have a couple of machines which we want to connect to but without entering user credentials. We want to use a certificate from our internal CA to authenticate the client on SSID. What is the correct way of doing it?

     

    Is there any way (or any other post on this forum) which highlight how we can get the certificate from our CA to enroll the machine manually? Systems on domain are already enrolled obviously  but the systems we want to connect will be like Kiosk machine and are not on domain.

     

    Thanks in anticipation.

     

    Farzan



  • 2.  RE: dot1x authentication for non domain computers
    Best Answer

    EMPLOYEE
    Posted Mar 25, 2014 08:21 PM

    You should look on Microsoft's forum to do this.  Most people stick with WPA2 and PEAP because issuing, distributing, revoking certificates are so time and labor intensive.  In addition, you then have to make sure what certificate is assigned to whom and then have someone who has the skills in your company maintain and revoke their certificate.  It is hard enough keeping track of accounts in active directory, but it is much harder to keep track of EAP-TLS certificates for non-domain users, because you do not have control over their devices.  

     

    ClearPass Onboard simplifies distributing, issuing, revoking and tying an EAP-TLS certificate to a user account for non-domain devices.  If you do not have something like ClearPass Onboard, you are looking at a great deal of management overhead...



  • 3.  RE: dot1x authentication for non domain computers

    Posted Feb 08, 2017 11:38 PM

    Hi,

     

    Is there any option to do AD user name & private certificate authentication with 802.1x on Non-Domain device.



  • 4.  RE: dot1x authentication for non domain computers

    EMPLOYEE
    Posted Feb 08, 2017 11:39 PM
    Yes. You'd have to manually request the certificate, install it and manually configure the supplicant.


  • 5.  RE: dot1x authentication for non domain computers

    Posted Feb 08, 2017 11:44 PM

    Ok,

    Could you please help me to know what I need write to check machine certificate on device in enforcement policy.



  • 6.  RE: dot1x authentication for non domain computers

    EMPLOYEE
    Posted Feb 08, 2017 11:46 PM
    Is the device machine authenticating to AD?
    What properties of the certificate are you looking to compare and authorize on?


  • 7.  RE: dot1x authentication for non domain computers

    Posted Feb 08, 2017 11:52 PM

    Customer has own CA.  we want to identify device based on certficated issued by own CA & also user will be identify using corporate AD.

    This machine certificate will be installed manually on Non-Domain/workgroup customer owned devices.