Enterprise Lockdown

Contributor I

User certificate auto enrollment over wireless

We have user cert auto enrollment setup and working when on the wired connection.
We also have machine cert auto enrollment setup and working.

As long as the certs are in place prior to going wireless everthing works like a champ.

Where we are having a problem is when a laptop that was working for one user gets moved to another user.
In order for it to work we have to jack the device into a network jack the first time.
Then the logon proceeds the user profile is created and the cert installs.

As a test we have modified the machine role to
Machine Authentication: Default Machine Role - authenticated
Machine Authentication: Default User Role - authenticated

Initial role – authenticated
802.1X Authentication Default Role – authenticated

While this is not the way we want it to work, we did this as a “any any” type of troubleshooting to try and simulate a wired connection.

It would not logon or install the cert until we jacked it into a wire..

Can this be done?
Guru Elite

Chicken and Egg

The problem with this setup is that a user cannot enroll unless he is logged into the computer. He cannot connect wirelessly unless he has a certificate, so he cannot login. So when using EAP-TLS a user must have logged in wired first.

To make this setup work for everyone, you would have to make it so that the computer ONLY authenticates in the computer and user context. Of course, you won't be able to tell who is logged into the computer wirelessly as it will always have the computer as the username. Logging in, if you never logged in before wirelessly, will work, however.

Details on how to do this via group policy are here: http://technet.microsoft.com/en-us/library/cc778073%28WS.10%29.aspx

Look for "Computer only. When this option is selected, authentication is always performed using the computer credentials. User authentication is never performed." on the page.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor I


That is what I thought...
Search Airheads
Showing results for 
Search instead for 
Did you mean: