- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
EAP TLS SSO
EAP TLS SSO
04-07-2014 02:50 PM
Has anyone done any workaround for this?
I got a clietn which need to do a SSO like with EAP PEAP which is possible.
He runs a scritp but the device need to authenticate before the user log in, in windows... it need to run a script the scritp, and if it does not have the single sign on, the script cannot run because is not int he network yet..
When he had SSO with EAP PEAP with single sign on configured on windows supplicant, everything worked pretty good but now that he moved to EAP TLS for more security, now the EAP TLS lack of Single sign on on the windows suplicant like it says on microsoft document http://support.microsoft.com/kb/2717916
Has anyone encounter this issue? any workd aroudn for it?
Cheers
Carlos
Product Manager - Aruba Networks
Alternetworks Corp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: EAP TLS SSO
Re: EAP TLS SSO
04-07-2014 06:56 PM
You can use EAP-TLS with machine authentication.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: EAP TLS SSO
Re: EAP TLS SSO
04-23-2014 10:27 AM
Hello Collin
If i do eap tls with machine authentication that means i would need to enable the machine authentication on the controller?
Cheers
Carlos
Product Manager - Aruba Networks
Alternetworks Corp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: EAP TLS SSO
Re: EAP TLS SSO
04-24-2014 02:27 PM
Anyone???
Cheers
Carlos
Product Manager - Aruba Networks
Alternetworks Corp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: EAP TLS SSO
Re: EAP TLS SSO
04-24-2014 02:33 PM - edited 04-24-2014 02:34 PM
No.
You do not need to configure anything on the controller, except define a radius server. On the radius server is where you decide what users or machines to allow authentication based on AD Groups.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: EAP TLS SSO
Re: EAP TLS SSO
04-24-2014 02:34 PM
Thank you
Ill do some testing then
Cheers
Carlos
Product Manager - Aruba Networks
Alternetworks Corp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: EAP TLS SSO
Re: EAP TLS SSO
05-05-2014 01:39 PM
Hello Collin
I tested and it seems to work!
2 More questions
1-There is no way to make the name rather than the computer name on the client list? when authenticating with the computer?
host/pcname.domain.local
2-The only way to authenticate computer AND the user name its by using the feature of the controller of machine authentication?
Cheers
Carlos
Product Manager - Aruba Networks
Alternetworks Corp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: EAP TLS SSO
Re: EAP TLS SSO
05-05-2014 01:51 PM
NightShade1 wrote:
Hello Collin
I tested and it seems to work!
2 More questions
1-There is no way to make the name rather than the computer name on the client list? when authenticating with the computer?
host/pcname.domain.local - You would have to distribute a Client Certificate to each computer and allow user and computer authentication. Unfortunately, each user would have to had logged into the computer once on the wired network to obtain an EAP-TLS certificate before getting onto the wireless for the frist time.
2-The only way to authenticate computer AND the user name its by using the feature of the controller of machine authentication? - You can using group policy setup the computer to authenticate the user and computer without configuring anything on the controller. The user would have to already have had an eap-TLS certificate distributed to the machine, like I mentioned in question #1.
Cheers
Carlos
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: EAP TLS SSO
Re: EAP TLS SSO
05-05-2014 02:12 PM
Hello Collin
On the computer i do have a user certificate
on mmc-->add snap in --->Certificate add ---> my user account---> con personal folder, i already got a certificate for user which is using a client authentication template
Also i already got a computer certificate
on mmc-->add snap in --->Certificate add ---> my computer account---> con personal folder, i already got a certificate for computer which is using a machinet authentication template
On the configuration on my computer i got authenticate user or computer authetnication.
Where do i tell it to authenticate Machine AND user
On the radius server?
On network policiy do a build one single rule which contain one condition which contains the domain users
And another condition which contain domain computers?
If i test it individually i mean just computer authetnication works fine... or just user authentication....
Cheers
Carlos
Product Manager - Aruba Networks
Alternetworks Corp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: EAP TLS SSO
Re: EAP TLS SSO
05-05-2014 02:14 PM
NightShade1 wrote:
Hello Collin
On the computer i do have a user certificate
on mmc-->add snap in --->Certificate add ---> my user account---> con personal folder, i already got a certificate for user which is using a client authentication template
Also i already got a computer certificate
on mmc-->add snap in --->Certificate add ---> my computer account---> con personal folder, i already got a certificate for computer which is using a machinet authentication template
On the configuration on my computer i got authenticate user or computer authetnication.
Where do i tell it to authenticate Machine AND user - You only need to allow it on the radius server.
On the radius server? The radius server only uses the username from the certificate, so as long as you are allowing logins from the AD group of the user, it should allow you to authenticate
On network policiy do a build one single rule which contain one condition which contains the domain users - Correct.
And another condition which contain domain computers? Correct x2
If i test it individually i mean just computer authetnication works fine... or just user authentication....
Cheers
Carlos
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator