@$k3l3t0r wrote:
We will be (huge upgrade going on!) but mainly for guest access and byod onboarding... but not for trusted business devices. They will be configured using group policy.
Can you elaborate on this bit please:
@cappalli wrote:
Windows will trigger user authentication in a traditional machine authentication configuration using PEAP-MS-CHAPv2 after logon. I don't believe there is a way to trigger user authentication when using a machine assigned certificate. Are you using ClearPass? You can return a username back to the controller via an Aruba RADIUS VSA.
Im not yet very familiar with Clearpass and its capabilities above and beyond gust access and onboarding.
Thanks
$k3l3t0r,
The easiest route will be using PEAP, where the computer can identify itself on bootup, and the username of the user can be identified upon login and acted upon. The computer credentials are the computer's hostname and it's SID (security identifier). The user's credentials are, well, their AD credentials. There are built-in roles in ClearPass to identify devices that have machine authenticated. You can then layer user authentication on top of that.
EAP-TLS requires certificates, but only allows a device to identify itself with a certificate, not username and password. The good part of using this is security, but the bad part is distributing, maintaining and revoking certificates, which will require more IT expertise to maintain, than PEAP. When using EAP-TLS, the device cannot use a combination like device certificate and username and password to authenticate to the WLAN. You have to choose either...