Security

 View Only
  • 1.  Machine Authentication - How

    Posted Jul 31, 2024 02:59 AM

    Dear Experts, 

    One of the customer is using EAP-PEAP (MSCHAPv2) to do user credentials authentication. They want to do computer authentication to make sure that only domain joined machines are getting the correct roles. However what i dont understand is, in user's case we can match different criteria like OU, SG etc, but in computers case how its done? Do we only change if machine authentication is successful?

    if yes, can someone tell me or share the sample policy how to match the correct domain for machine authentication?



  • 2.  RE: Machine Authentication - How

    Posted Jul 31, 2024 01:16 PM

    Two ways, one is preferred:

    1. Use TEAP and chained EAP requests to authenticate the device and user at the same time.
    2. Configure the supplicant for Computer and User auth which will require the computer to go through a device level authentication first and then mark that endpoint as domain joined, use that endpoint attribute as a further check during user auth.

    Note, both options are only applicable to Windows.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Machine Authentication - How

    Posted Aug 05, 2024 10:31 AM

    Don't use AD credentials.  Use certificates instead.  Note Credential Guard on modern Windows versions.