Wireless Access

Today my brain stopped working and now I need some external input.

A customer wants a SSID which checks for a device certificate and the group-membership for the user instead of the computers group membership.

All the computers have a certificate from a MS CA and the RADIUS is a MS NPS.

Right now the clients authenticate using the device-certificate and every domain computer is able to connect to the SSID (the clients are configured for EAP-TLS or EAP-PEAP w/ EAP-TLS)

How can I check the Username (or user certificate) as a 2nd factor?

So the only option would be to check for the user-certificate, with the knowledge that only users on a AD registered machine would get a certificate, right?

To allow logon, the device also needs a device-certificate and the computer would switch the certificate/profile while a user is logging in.

Is this the correct thought?

You can enable "Enforce machine auth" on 1x auth profile.

- default machine role = role machine (specific acl or logon)

- default user role = role user (specifi acl or logon)

and on AAA, 1x default role = Company user role (full access);

and then combine it with ServerGroup-Server Rule, to put specific group to specific user role.

This can be applied if all client are domain machine, for non-domain machine, it won't be authenticated at all.

--Yopi--