Wireless Water Cooler

I’m not sure where to ask this.

Can you have an 802.1x EAP-TLS AND validate user credentials using a NPS radius server?

Here’s why I ask…

I do the wireless networking setup and another group does the windows / NPS server side of things. I thought we required the cert and validated the user credentials. (I’m sure I tested this ) but I just tested it and I got on using only the cert and I’m being told that is “how EAP-TLS works!” No user credentials required.

I want to require both user credentials and certificate. Is this possible?

You cannot.  You can have a network rule that can authenticate certificate OR username and password, but not both.

Thank you!

Would you happen to know if this is possible if we were using clearpass as our radius server?

No, for two reasons:

1.  Most supplicants will only allow you to authenticate Either Certificates OR username and password.  A few custom supplicants will allow you to do a combination of username and password, smartcard and certificate, etc, but they cost money.

2.  Most radius servers like clearpass can only service a single EAP type at a time, but a custom supplicant can make them authenticate one or the other.  Highly secure environments deploy this, but they are expensive to deploy and complicated to install and maintain.

Thank you sir!