Wireless Access

Reply
Occasional Contributor II

EAP-TLS User or computer authentication in windows 7

Hello guys,

 

I have a question regarding EAP-TLS authentication in windows 7.

 

We have students connecting to our network with domain computers.

Sometimes, the teachers for different reasons wants to block the students Internet connection.

The teachers has a web-interface where they can choose which students/class they want to block, and then they are moved to an active directory group (“CLOSE-INTERNET”). Today we achieve this with a proxy server and active directory, where all clients has to authenticate with their domain credentials.

 

Now we want to move away from using a proxy, and make aruba clearpass and aruba mobility controller do this job.

To achieve this, we have configured the student computers to authenticate with 802.1x “User or computer authentication”, and we are deploying machine and user certificates through group policy and a windows certificate authority server. This way we can see which user is logged on the computer on the AMC, and the computer endpoint has the correct username attribute in clearpass. So far so good.

 

After testing this for a while, I see that users that logs on the computer for the first time gets disconnected from the network after logging into windows. I was thinking the user certificate was deployed when the user was logging on to windows, but this does not work. The computer gets online after it boots up, some seconds after the user has typed in the credentials and pushed enter (using the machine certificate), then it suddenly drops the connection, because the group policy is set to switch to user certificate.

 

Has anyone else experienced this problem, and solved it? Is it even possible?

Does anyone have a workaround?

 

I know it will work if we put the pc on a non 802.1x switchport, and have the user log on, but with over 10000 students and very few switchports, that is not a good enough solution.

 

I appreciate any help on this!

Guru Elite

Re: EAP-TLS User or computer authentication in windows 7

Do you see the user authentication request in ClearPass?


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: EAP-TLS User or computer authentication in windows 7

No, the user has nothing to authenticate with, so there is no request in clearpass

Guru Elite

Re: EAP-TLS User or computer authentication in windows 7

After login, can you confirm that there is a user certificate in the user's cert store?


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: EAP-TLS User or computer authentication in windows 7

No, there is not a user cert in the users certificate store, that is the main problem here; the authentication method is switched from computer to user before a user certificate is issued.

Guru Elite

Re: EAP-TLS User or computer authentication in windows 7

Armyboy,

 

It is not advised to use eap-tls with user authentication for multi-user devices due to the chicken and egg scenario that you are now experiencing.  New users who have never logged in will not have a certificate, because their connection depends on a certificate they do not have yet.  The distribution of that certificate also relies on a user connection that cannot be completed without a certificate. You should use eap-peap instead in an environment with multi-user devices.

 

I would say use machine-only authentication with eap-tls, but the user authentication would not be seen or recorded in clear pass and the teacher would not be able to differentiate users.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: EAP-TLS User or computer authentication in windows 7

Thank you  for clarifying that cjoseph.

 

What do you think about the following workaround:

We have two SSID, one with computer and user authentication (EAP-TLS), and one (hidden?) with computer only.

If the client doesnt have a user certificate, it will connect to the computer auth SSID, and stay there until it has received the user certificate from the CA. Then when the client has what he needs to use the computer and user auth SSID, it will reconnect to it.

I think this would be possible to do with group policy, but I will have to test it in my lab.

 

Any thoughts on this solution?

Guru Elite

Re: EAP-TLS User or computer authentication in windows 7

Armyboy,

 

It would not work that way.  There is now way for the infrastructure to force a computer to go from one SSID to another.  Having two SSIDs makes it too complicated.  I would just use machine-only authentication if you absolutely need to use eap-TLS.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: EAP-TLS User or computer authentication in windows 7

This was the final solution for this problem:

 

In the windows group policy:

Enable single sign-on for this network

Perform immediately before user logon

Max delay for connectivity: 60 seconds

 

 

On the controller I changed the following settings:

Number of times ID-Requests are retried          

From 5 to 10

Maximum Number of Reauthentication Attempts

From 3 to 10

Quiet Period after Failed Authentication

From 30 to 5 sek

 

This has been in production for about two months now, and is working well. In most cases the user gets the user certificate while connecting with the machine certificate, sometimes the computer has to be restarted to make it work.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: