Wireless Access

You can use EAP-TLS with machine authentication.

Hello Collin

If i do eap tls with machine authentication that means i would need to enable the machine authentication on the controller?

Cheers

Carlos

Anyone???

Cheers

Carlos

No.

You do not need to configure anything on the controller, except define a radius server.  On the radius server is where you decide what users or machines to allow authentication based on AD Groups.

Thank you

Ill do some testing then

Cheers

Carlos

Hello Collin

I tested and it seems to work!

2 More questions

1-There is no way to make the name rather than the computer name on the client list? when authenticating with the computer?

host/pcname.domain.local

2-The only way to authenticate computer AND the user name its by using the feature of the controller of machine authentication?

Cheers

Carlos

---

NightShade1 wrote:

Hello Collin

I tested and it seems to work!

2 More questions

 

1-There is no way to make the name rather than the computer name on the client list? when authenticating with the computer?

host/pcname.domain.local - You would have to distribute a Client Certificate to each computer and allow user and computer authentication.  Unfortunately, each user would have to had logged into the computer once on the wired network to obtain an EAP-TLS certificate before getting onto the wireless for the frist time.

2-The only way to authenticate computer AND the user name its by using the feature of the controller of machine authentication?  - You  can using group policy setup the computer to authenticate the user and computer without configuring anything on the controller.  The user would have to already have had an eap-TLS certificate distributed to the machine, like I mentioned in question #1.

 

Cheers

Carlos

---

Hello Collin

On the computer i do have a user certificate

on  mmc-->add snap in --->Certificate add ---> my user account---> con personal folder, i already got  a certificate for user which is using a client authentication template

Also i already got a computer certificate

on  mmc-->add snap in --->Certificate add ---> my computer account---> con personal folder, i already got  a certificate for computer which is using a machinet authentication template

On the configuration on my computer i got authenticate user or computer authetnication.

Where do i tell it to authenticate Machine AND user

On the radius server?

On network policiy do a build one single rule which contain one condition which contains the domain users

And another condition which contain domain computers?

If i test it individually i mean just computer authetnication works fine... or just user authentication....

Cheers

Carlos

---

NightShade1 wrote:

Hello Collin

On the computer i do have a user certificate

on  mmc-->add snap in --->Certificate add ---> my user account---> con personal folder, i already got  a certificate for user which is using a client authentication template

 

Also i already got a computer certificate

on  mmc-->add snap in --->Certificate add ---> my computer account---> con personal folder, i already got  a certificate for computer which is using a machinet authentication template

 

On the configuration on my computer i got authenticate user or computer authetnication.

 

Where do i tell it to authenticate Machine AND user - You only need to allow it on the radius server.

On the radius server? The radius server only uses the username from the certificate, so as long as you are allowing logins from the AD group of the user, it should allow you to authenticate

On network policiy do a build one single rule which contain one condition which contains the domain users - Correct.

And another condition which contain domain computers?  Correct x2

 

 

If i test it individually i mean just computer authetnication works fine... or just user authentication....

 

Cheers

Carlos

 

---