Security

Reply
Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

dot1x authentication for non domain computers

Hi,

 

We have setup an SSID with 802.1x EAP which supports "PEAP" and "smart card or other certificate" authentication modes. Users log in using  their domain credentials. What we want to achieve is this:

 

We have a couple of machines which we want to connect to but without entering user credentials. We want to use a certificate from our internal CA to authenticate the client on SSID. What is the correct way of doing it?

 

Is there any way (or any other post on this forum) which highlight how we can get the certificate from our CA to enroll the machine manually? Systems on domain are already enrolled obviously  but the systems we want to connect will be like Kiosk machine and are not on domain.

 

Thanks in anticipation.

 

Farzan

Guru Elite
Posts: 21,001
Registered: ‎03-29-2007

Re: dot1x authentication for non domain computers

You should look on Microsoft's forum to do this.  Most people stick with WPA2 and PEAP because issuing, distributing, revoking certificates are so time and labor intensive.  In addition, you then have to make sure what certificate is assigned to whom and then have someone who has the skills in your company maintain and revoke their certificate.  It is hard enough keeping track of accounts in active directory, but it is much harder to keep track of EAP-TLS certificates for non-domain users, because you do not have control over their devices.  

 

ClearPass Onboard simplifies distributing, issuing, revoking and tying an EAP-TLS certificate to a user account for non-domain devices.  If you do not have something like ClearPass Onboard, you are looking at a great deal of management overhead...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 15
Registered: ‎12-01-2015

Re: dot1x authentication for non domain computers

Hi,

 

Is there any option to do AD user name & private certificate authentication with 802.1x on Non-Domain device.

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: dot1x authentication for non domain computers

Yes. You'd have to manually request the certificate, install it and manually configure the supplicant.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 15
Registered: ‎12-01-2015

Re: dot1x authentication for non domain computers

Ok,

Could you please help me to know what I need write to check machine certificate on device in enforcement policy.

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: dot1x authentication for non domain computers

Is the device machine authenticating to AD?
What properties of the certificate are you looking to compare and authorize on?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 15
Registered: ‎12-01-2015

Re: dot1x authentication for non domain computers

Customer has own CA.  we want to identify device based on certficated issued by own CA & also user will be identify using corporate AD.

This machine certificate will be installed manually on Non-Domain/workgroup customer owned devices.

Search Airheads
Showing results for 
Search instead for 
Did you mean: