Wireless Access

Reply
Contributor II

SSID with User- and Device-based authentication

Today my brain stopped working and now I need some external input.

 

A customer wants a SSID which checks for a device certificate and the group-membership for the user instead of the computers group membership.

 

All the computers have a certificate from a MS CA and the RADIUS is a MS NPS.

 

Right now the clients authenticate using the device-certificate and every domain computer is able to connect to the SSID (the clients are configured for EAP-TLS or EAP-PEAP w/ EAP-TLS)

 

How can I check the Username (or user certificate) as a 2nd factor?

 


Sven
ACMX #754, ACCX #726, ACSA
Guru Elite

Re: SSID with User- and Device-based authentication

You would need an advanced policy engine like ClearPass for something like this.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: SSID with User- and Device-based authentication

So the only option would be to check for the user-certificate, with the knowledge that only users on a AD registered machine would get a certificate, right?

 

To allow logon, the device also needs a device-certificate and the computer would switch the certificate/profile while a user is logging in.

 

Is this the correct thought?

 


Sven
ACMX #754, ACCX #726, ACSA
Frequent Contributor I

Re: SSID with User- and Device-based authentication

You can enable "Enforce machine auth" on 1x auth profile.

- default machine role = role machine (specific acl or logon)

- default user role = role user (specifi acl or logon)

 

and on AAA, 1x default role = Company user role (full access);

and then combine it with ServerGroup-Server Rule, to put specific group to specific user role.

 

This can be applied if all client are domain machine, for non-domain machine, it won't be authenticated at all.

 

 

--Yopi--

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: