Wireless Access

Reply

EAP TLS SSO

Has anyone done any workaround for this?

I got a clietn which need to do a SSO  like with  EAP PEAP which is possible.

He runs a scritp  but the device need to authenticate before the user log in, in windows... it need to run a script the scritp, and if it does not have the single sign on, the script cannot run because is not int he network yet..  

When he had SSO with EAP PEAP with single sign on configured on windows supplicant,  everything worked pretty good but now that he moved to EAP TLS for more security, now the EAP TLS lack of Single sign on on the windows suplicant  like it says on microsoft document http://support.microsoft.com/kb/2717916

 

Has anyone encounter this issue? any workd aroudn for it?

 

Cheers

Carlos

 

 

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: EAP TLS SSO

You can use EAP-TLS with machine authentication.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: EAP TLS SSO

Hello Collin

If i do eap tls with machine authentication that means i would need to enable the machine authentication on the controller?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: EAP TLS SSO

Anyone???

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: EAP TLS SSO

No.

 

You do not need to configure anything on the controller, except define a radius server.  On the radius server is where you decide what users or machines to allow authentication based on AD Groups.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: EAP TLS SSO

Thank you

Ill do some testing then

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: EAP TLS SSO

Hello Collin

I tested and it seems to work!


2 More questions

 

1-There is no way to make the name rather than the computer name on the client list? when authenticating with the computer?

host/pcname.domain.local

2-The only way to authenticate computer AND the user name its by using the feature of the controller of machine authentication?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: EAP TLS SSO


NightShade1 wrote:

Hello Collin

I tested and it seems to work!


2 More questions

 

1-There is no way to make the name rather than the computer name on the client list? when authenticating with the computer?

host/pcname.domain.local - You would have to distribute a Client Certificate to each computer and allow user and computer authentication.  Unfortunately, each user would have to had logged into the computer once on the wired network to obtain an EAP-TLS certificate before getting onto the wireless for the frist time.

2-The only way to authenticate computer AND the user name its by using the feature of the controller of machine authentication?  - You  can using group policy setup the computer to authenticate the user and computer without configuring anything on the controller.  The user would have to already have had an eap-TLS certificate distributed to the machine, like I mentioned in question #1.

 

Cheers

Carlos


 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: EAP TLS SSO

Hello Collin

On the computer i do have a user certificate

on  mmc-->add snap in --->Certificate add ---> my user account---> con personal folder, i already got  a certificate for user which is using a client authentication template

 

Also i already got a computer certificate

on  mmc-->add snap in --->Certificate add ---> my computer account---> con personal folder, i already got  a certificate for computer which is using a machinet authentication template

 

On the configuration on my computer i got authenticate user or computer authetnication.

 

Where do i tell it to authenticate Machine AND user

On the radius server?

On network policiy do a build one single rule which contain one condition which contains the domain users

And another condition which contain domain computers?

 

 

If i test it individually i mean just computer authetnication works fine... or just user authentication....

 

Cheers

Carlos

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite

Re: EAP TLS SSO


NightShade1 wrote:

Hello Collin

On the computer i do have a user certificate

on  mmc-->add snap in --->Certificate add ---> my user account---> con personal folder, i already got  a certificate for user which is using a client authentication template

 

Also i already got a computer certificate

on  mmc-->add snap in --->Certificate add ---> my computer account---> con personal folder, i already got  a certificate for computer which is using a machinet authentication template

 

On the configuration on my computer i got authenticate user or computer authetnication.

 

Where do i tell it to authenticate Machine AND user - You only need to allow it on the radius server.

On the radius server? The radius server only uses the username from the certificate, so as long as you are allowing logins from the AD group of the user, it should allow you to authenticate

On network policiy do a build one single rule which contain one condition which contains the domain users - Correct.

And another condition which contain domain computers?  Correct x2

 

 

If i test it individually i mean just computer authetnication works fine... or just user authentication....

 

Cheers

Carlos

 


 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: