05-10-2017 06:16 AM
Today my brain stopped working and now I need some external input.
A customer wants a SSID which checks for a device certificate and the group-membership for the user instead of the computers group membership.
All the computers have a certificate from a MS CA and the RADIUS is a MS NPS.
Right now the clients authenticate using the device-certificate and every domain computer is able to connect to the SSID (the clients are configured for EAP-TLS or EAP-PEAP w/ EAP-TLS)
How can I check the Username (or user certificate) as a 2nd factor?
ACMP + ACCP
05-10-2017 06:20 AM
05-10-2017 07:22 AM
So the only option would be to check for the user-certificate, with the knowledge that only users on a AD registered machine would get a certificate, right?
To allow logon, the device also needs a device-certificate and the computer would switch the certificate/profile while a user is logging in.
Is this the correct thought?
ACMP + ACCP
05-10-2017 11:50 AM
You can enable "Enforce machine auth" on 1x auth profile.
- default machine role = role machine (specific acl or logon)
- default user role = role user (specifi acl or logon)
and on AAA, 1x default role = Company user role (full access);
and then combine it with ServerGroup-Server Rule, to put specific group to specific user role.
This can be applied if all client are domain machine, for non-domain machine, it won't be authenticated at all.