Wireless Access

Reply
Occasional Contributor II
Posts: 11
Registered: ‎09-25-2013

2 factor with windows and mac's

Is there a deployment guide or suggested best practice for configuring 2 factor wireless authentication for a single SSID for windows and macbooks?  Currently the windows users and mac users authenticate with AD credentials.  Though the mac's aren't joined to AD, the credentials are manually entered.  With this setup, how would one go about adding a 2nd factor in case someone's credentials get compromised?  We have an internal CA and I've been thinking about adding a machine cert to the windows pc's, but the mac's are kind of puzzling me.  

 

My thinking was to have computers dropped in a limited role based on the authentication of the machine cert.  Then moved to a production full access role following the successfully authentication with AD credentials (both authenticating against a radius server).  But if the user never logs out, won't the machine authentication eventually expire?  

Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: 2 factor with windows and mac's


jdmhw6 wrote:

Is there a deployment guide or suggested best practice for configuring 2 factor wireless authentication for a single SSID for windows and macbooks?  Currently the windows users and mac users authenticate with AD credentials.  Though the mac's aren't joined to AD, the credentials are manually entered.  With this setup, how would one go about adding a 2nd factor in case someone's credentials get compromised?  We have an internal CA and I've been thinking about adding a machine cert to the windows pc's, but the mac's are kind of puzzling me.  

 

My thinking was to have computers dropped in a limited role based on the authentication of the machine cert.  Then moved to a production full access role following the successfully authentication with AD credentials (both authenticating against a radius server).  But if the user never logs out, won't the machine authentication eventually expire?  


You can do machine certificates fairly easily with Windows using certificate Autoenrollment and Group policy to authenticate computer-only or machine-only certificates in the WLAN setup.

 

With the mac it is a little more tricky.  You need to create a "System Profile" and attach a generated TLS certificate to that using MAC OSX server ($50) profile manager.  You can also hack it with the IPCU (iphone configuration utility) using the article here:  http://www.revolutionwifi.net/2012/02/mac-os-x-lion-creating-wi-fi-8021x.html   You can then layer on top of that user login on the mac by binding your mac to the domain and then under Settings> Users and Groups> Login Options > Display Login as Name and Password.  

 

What will happen is that the mac will connect to the wireless before login with the generated certificate via the system profile...  It will get an ip address, etc.  It will show the username and password dialog and then show "Green" when it has connectivity to the domain.  The user can then login using a valid username and password.

 

I hope that makes sense.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 34
Registered: ‎11-06-2012

Re: 2 factor with windows and mac's

I have seen several solutions to this but I think the best would be to use certificates and TLS.  Clearpass w/ onboard works great for getting OSX onto the network using 2 factor auth while using machine certs (TLS) or machine and user auth (PEAP) for windows machines.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: