Community Home > Discuss > Technology > Wireless Access > EAP TLS SSO

Wireless Access

Reply
MVP
MVP
cdelarosa

EAP TLS SSO

‎04-07-2014 02:50 PM

Has anyone done any workaround for this?

I got a clietn which need to do a SSO  like with  EAP PEAP which is possible.

He runs a scritp  but the device need to authenticate before the user log in, in windows... it need to run a script the scritp, and if it does not have the single sign on, the script cannot run because is not int he network yet..  

When he had SSO with EAP PEAP with single sign on configured on windows supplicant,  everything worked pretty good but now that he moved to EAP TLS for more security, now the EAP TLS lack of Single sign on on the windows suplicant  like it says on microsoft document http://support.microsoft.com/kb/2717916

 

Has anyone encounter this issue? any workd aroudn for it?

 

Cheers

Carlos

 

 

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Alert a Moderator
Message 1 of 11
1,920 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: EAP TLS SSO

‎04-07-2014 06:56 PM

You can use EAP-TLS with machine authentication.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Alert a Moderator
Message 2 of 11
1,875 Views
Reply
0 Kudos
MVP
MVP
cdelarosa

Re: EAP TLS SSO

‎04-23-2014 10:27 AM

Hello Collin

If i do eap tls with machine authentication that means i would need to enable the machine authentication on the controller?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Alert a Moderator
Message 3 of 11
1,752 Views
Reply
0 Kudos
MVP
MVP
cdelarosa

Re: EAP TLS SSO

‎04-24-2014 02:27 PM

Anyone???

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Alert a Moderator
Message 4 of 11
1,738 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: EAP TLS SSO

‎04-24-2014 02:33 PM - edited ‎04-24-2014 02:34 PM

No.

 

You do not need to configure anything on the controller, except define a radius server.  On the radius server is where you decide what users or machines to allow authentication based on AD Groups.

 

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Alert a Moderator
Message 5 of 11
1,736 Views
Reply
MVP
MVP
cdelarosa

Re: EAP TLS SSO

‎04-24-2014 02:34 PM

Thank you

Ill do some testing then

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Alert a Moderator
Message 6 of 11
1,733 Views
Reply
0 Kudos
MVP
MVP
cdelarosa

Re: EAP TLS SSO

‎05-05-2014 01:39 PM

Hello Collin

I tested and it seems to work!


2 More questions

 

1-There is no way to make the name rather than the computer name on the client list? when authenticating with the computer?

host/pcname.domain.local

2-The only way to authenticate computer AND the user name its by using the feature of the controller of machine authentication?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Alert a Moderator
Message 7 of 11
1,643 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: EAP TLS SSO

‎05-05-2014 01:51 PM

NightShade1 wrote:

Hello Collin

I tested and it seems to work!


2 More questions

 

1-There is no way to make the name rather than the computer name on the client list? when authenticating with the computer?

host/pcname.domain.local - You would have to distribute a Client Certificate to each computer and allow user and computer authentication.  Unfortunately, each user would have to had logged into the computer once on the wired network to obtain an EAP-TLS certificate before getting onto the wireless for the frist time.

2-The only way to authenticate computer AND the user name its by using the feature of the controller of machine authentication?  - You  can using group policy setup the computer to authenticate the user and computer without configuring anything on the controller.  The user would have to already have had an eap-TLS certificate distributed to the machine, like I mentioned in question #1.

 

Cheers

Carlos

 

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Alert a Moderator
Message 8 of 11
1,640 Views
Reply
0 Kudos
MVP
MVP
cdelarosa

Re: EAP TLS SSO

‎05-05-2014 02:12 PM

Hello Collin

On the computer i do have a user certificate

on  mmc-->add snap in --->Certificate add ---> my user account---> con personal folder, i already got  a certificate for user which is using a client authentication template

 

Also i already got a computer certificate

on  mmc-->add snap in --->Certificate add ---> my computer account---> con personal folder, i already got  a certificate for computer which is using a machinet authentication template

 

On the configuration on my computer i got authenticate user or computer authetnication.

 

Where do i tell it to authenticate Machine AND user

On the radius server?

On network policiy do a build one single rule which contain one condition which contains the domain users

And another condition which contain domain computers?

 

 

If i test it individually i mean just computer authetnication works fine... or just user authentication....

 

Cheers

Carlos

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Alert a Moderator
Message 9 of 11
1,638 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: EAP TLS SSO

‎05-05-2014 02:14 PM

NightShade1 wrote:

Hello Collin

On the computer i do have a user certificate

on  mmc-->add snap in --->Certificate add ---> my user account---> con personal folder, i already got  a certificate for user which is using a client authentication template

 

Also i already got a computer certificate

on  mmc-->add snap in --->Certificate add ---> my computer account---> con personal folder, i already got  a certificate for computer which is using a machinet authentication template

 

On the configuration on my computer i got authenticate user or computer authetnication.

 

Where do i tell it to authenticate Machine AND user - You only need to allow it on the radius server.

On the radius server? The radius server only uses the username from the certificate, so as long as you are allowing logins from the AD group of the user, it should allow you to authenticate

On network policiy do a build one single rule which contain one condition which contains the domain users - Correct.

And another condition which contain domain computers?  Correct x2

 

 

If i test it individually i mean just computer authetnication works fine... or just user authentication....

 

Cheers

Carlos

 

 

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Alert a Moderator
Message 10 of 11
1,636 Views
Reply
0 Kudos
Search Airheads
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2018 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium