01-27-2017 07:57 AM
With Machine+User auth on WLAN there is a chicken and egg scenerio, where if a user hasn't connected to the domain on a device, then their user cert won't exist on the device yet, so they can't connect. They need to sign in to get the cert. I've done looking around and haven't seen any solid workaround outside of different authentication methods, but I had an idea I wanted some feedback on.
Is there a way to do Machine + user auth, but if the user Auth fails, allow limited access with machine auth so that the user certificate can be generated. The certificate is generated almsot instantly, so we can do a re-auth after a short time period (5s), with machine and user auth again.
I'm not sure if this is possible to set up, so I'm hoping to spitball ideas, and hear waht others have done for this situation.
Solved! Go to Solution.
01-27-2017 08:05 AM
Most organizations just use machine authentication with eap-tls.
The user still has to get into the machine and domain with domain credentials.. It mirrors the security of the wired network.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
01-30-2017 10:44 AM
I've been considering moving to just machine auth with eap-tls. It would definitley make this easier for the multi user devices.
I'd still however like some enforcment policies to apply based on their AD memberships. Is there a way for clearpass to pick up the user info when they sign in to the domain (using their sign in credentials on initial login, or their user cert once generated)? I'm not sure how I'd get clearpass to detect that if it's possible.
01-30-2017 10:53 AM
Yes, you can use Computer + User and leverage attributes from each of them for policy evaluation.
Something to consider: It's generally not recommended to use EAP-TLS on AD joined machines if you want user based identity + machine authentication. A new user who logs in will not be able to connect to the network because the local machine does not have a copy of their user certificate. In this scenario, consider using PEAPv0/EAP-MSCHAPv2 with a properly configured supplicant via GPO.
01-30-2017 11:06 AM
You got it Tim, that's the current setup I have and the issue I'm trying to get around.
You suggest peapv0 or mschapv2. How would that deployment look from the users perspective? I've enjoyed EAP-TLS so far as it's seamless and requires nothing from the user, except for first time sign in on the occasinal multi-user device. If peap/mschap fills this problem while remaining seamless I'd love to hear more.
01-30-2017 11:17 AM
The problem with EAP-TLS in this environment is the computer will switch to the user context before it can download the user's cert.
01-30-2017 11:25 AM
This seems like something I missed that may have been better to deploy with. I'll get a test environment up and give it a go.
For a user that is already signed in to the domain, and then changed connection to the WLAN, will they require entering in their credentials, or is it pulled automatically in PEAPv0/EAP-MSCHAPV2 request?
You also mentioned a properly configured supplicant via GPO. Do you mean the 802.1x settings pushed to these devices from GPO?
01-30-2017 11:28 AM