Security

last person joined: 10 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TLS user & machine auth + local admin account

This thread has been viewed 30 times
  • 1.  EAP-TLS user & machine auth + local admin account

    Posted Jun 01, 2021 01:01 PM

    Hi guys,

    I'm wondering if anyone knows about a workaround for an issue I stumbled across lately.

    I'm currently using EAP-TLS for Windows devices with machine + user authentication on the wired side. All is working well and both certificates are authenticating fine.The Windows authentication profiles are pushed by GPO.

    When @ the login prompt, I machine auth successfully and then my problem is when I log in with the local admin account. Since this account is not part of AD, it has no user certificate enrolled. I would expect a method to tell the Windows PC that if no user cert exist in the store, fallback to machine certificate even if a user session is logged in. Since settings are managed by GPO, its greyed out and impossible to modify. Then my only options seems to be either having a generic user cert on a USB stick or use netsh to modify profile with a script and override GPO.

    Anyone had this problem and found a setting to overcome it?

    Thanks :)



    ------------------------------
    Maxime Mourand
    ------------------------------


  • 2.  RE: EAP-TLS user & machine auth + local admin account

    Posted Jun 01, 2021 04:10 PM
    No, you'd need to just use machine-based identity (which is the recommended deployment model).

    ------------------------------
    Tim C
    ------------------------------



  • 3.  RE: EAP-TLS user & machine auth + local admin account

    Posted Jun 02, 2021 12:49 PM
    Hi Tim C,

    Please can you shine more light on what you mean by Machine-based identity? 

    Honestly, I am very sure that I do not understand what you mean. 

    @Overclock 's issue is actually thought-provoking - logging into a system that has machine-authenticated (802.1x) successfully but with a local admin account.

    Interesting!!!​


  • 4.  RE: EAP-TLS user & machine auth + local admin account

    Posted Jun 02, 2021 12:55 PM
    Machine auth / computer auth only.

    ------------------------------
    Tim C
    ------------------------------



  • 5.  RE: EAP-TLS user & machine auth + local admin account

    Posted Jun 02, 2021 01:13 PM
    Thanks @timms

    ​​


  • 6.  RE: EAP-TLS user & machine auth + local admin account

    Posted Jun 12, 2021 07:34 AM
    HI Tim,

    Why machine/computer authentication is recomended ?

    Computer  authetication there is disadvantage. It won't work for role mapping as it can't get the detail attributes (user group) from AD.
    I faced this problem in role mapping + enforcement when windows client is machine/computer authentication.
    TAC told me windows client need to set to user only or  "user or computer authentcaition ".
    User authentication will provide more complete attribtues information.

    Thanks.

    ------------------------------
    Choh Koon Tan
    ------------------------------



  • 7.  RE: EAP-TLS user & machine auth + local admin account

    Posted Jun 14, 2021 09:50 AM
    User policy should be enforced higher in the stack. It has little value at L2.

    ------------------------------
    Tim C
    ------------------------------