Security

Hi

This may have been covered elsewhere but I can not find a solution and I am getting confused about settings to apply.  I am trying to ensure that only computers with a certificate can connect to radius plus also have user authentication required to connect.  I have a 3400 controller with server2008 radius using a 'Wifi-Users' to authenticate, this works fine.  This way a user has to use the laptop their are assigned to access wifi.

I have the following -

On Radius sever beside using 'WiFi-Users' under the Radius Network policy as an Authentication Method Contraint I have set

PEAP with 'Certificate issued to' set to 'RadiusServer.domain.local'

Enable fast reconnect

EAP type - Secured passsword (EAP-MSCHAP v2)

Using GPO I am setting a wifi policy that includes PEAP authentication using Settings of

'Validate server certificate'

'Connect to these servers' set to RadiusServer.domain.local and trusted root certificate authorities has my internal CA selected.

'Secured password (EAP-MSCHAP v2)'

The issue I have is that a user can connect on any laptop without the gpo policy or certificate installed or even set in the laptop WiFi settings , is this even possible.? ?

If I connect using iPhone I have to accept the 'RadiusServer.domain.local'  certificate install, which is what I want.

I also have also tried using a group 'WiFi-Computers' however if I add this as a Windows group to Radius network policy authentication fails.

Thanks in advance.

Hi DL77,

A user connecting to an SSID with a RADIUS server and a self-signed certificate will be presented with an option to download that certificate before going further. This should happen before the user is authenticated or authorized on the network. It sounds like you're interested in preventing anyone from connecting to the network unless they already have that server certificate installed? Would you mind clarifying that piece.

Here's what I've done, which is a little different. You can use the Clearpass OnBoard features to generate an individual certificate for each client device. These certificates will be signed by Clearpass and be installed as part of a profile on a Windows, Mac, iOS, or Android device. I have the SSID authenticate valid certificates using EAP-TLS - it actually works really well. 

You can perform the above as part of a workflow on a single SSID, or a dual SSID approach with an open / guest SSID that the user must disconnect from after the certificate and profiles settings have been installed.

Let me know if that helps - thanks!

-Mike

Hi Mike

You are correct, I would like to use the server certificate plus additionally user AD credentials.  I am deploying the certifcate with the GPO WiFi policy that is pushed out to the "WiFi computers group"  I would prefer this method so it is easier to other IT staff to setup users/computers but just having to put them into certain AD groups to apply the required settings.

Thanks

---

@DL77 wrote:

Hi Mike

 

You are correct, I would like to use the server certificate plus additionally user AD credentials.  I am deploying the certifcate with the GPO WiFi policy that is pushed out to the "WiFi computers group"  I would prefer this method so it is easier to other IT staff to setup users/computers but just having to put them into certain AD groups to apply the required settings.

 

Thanks

---

DL77 if you are using PEAP, you are ONLY using username and passwords.  Peap is a mutual authentication requires that the Radius server authenticates the username and password, BUT the CLIENT authenticates the radius server certificate (Validate Server Certificate).  There is NO checking by the radius server to see if a client posesses a particular certificate; ONLY the client checks the radius server certificate.  When an Iphone or android connects, it is up to the user to accept or reject the radius server certificate; the administrator cannot force the client to accept a particular radius certificate unless a profile is pushed on IOS or a configuration is pushed on Android, etc.

If you ONLY want specific clients to connect, you need to use EAP-TLS, which is client-side certificates.  It is more difficult to deploy EAP-TLS, because you need to setup a certificate authority and use a mechanism to deliver the client-side certificate to your clients.  In the Windows world, you can enable autoenrollment and that will deploy certificates to either the machine or user store for authentication.  On mobile platforms it is more difficult and you need to have a platform like ClearPass and Quickconnect to deploy certificates automatically, or email the mobile user a certificate that is generated by your CA and have them configure their mobile clients manually.

Thanks cjoesph,  when you mention ONLY the client checks the radius server certificate can you confirm.  This is what I thought I was doing.  

If I am pushing out the WiFi settings plus server certificate it connects as expected however if the certificate settings in the WiFi aren't set by using a laptop that doesn't get the GPO policy and just connects manually I would have thought that the client wouldn't be able to check the radius server certificate and so the user wouldn't be able to connect even if they have permission, ie the client doesn't have the server certificate installed.

---

@DL77 wrote:

Thanks cjoesph,  when you mention ONLY the client checks the radius server certificate can you confirm.  This is what I thought I was doing.  

 

If I am pushing out the WiFi settings plus server certificate it connects as expected however if the certificate settings in the WiFi aren't set by using a laptop that doesn't get the GPO policy and just connects manually I would have thought that the client wouldn't be able to check the radius server certificate and so the user wouldn't be able to connect even if they have permission, ie the client doesn't have the server certificate installed.

 

 

---

Yes ONLY the client checks using the "Validate Server Certificate" button.  You could connect another Windows client that does not have a GPO with only a username and password if "Validate Server Certificate" is not checked on that client.  The iPhone and android devices the USER decides if to accept a server certificate, so that is NOT enforced by the administrator, either. 

I should have stated that on PEAP properties, that even if Validate server certificate is select when no other settings the client does connect.  I thought it shouldn't.

---

@DL77 wrote:

I should have stated that on PEAP properties, that even if Validate server certificate is select when no other settings the client does connect.  I thought it shouldn't.

---

To be clear, "Validate Server Certificate" is a client-side option that only allows a client to connect to a radius server whose certificate or CA certificate is in the client's local store.  Clients that are not configured by group policy can choose to NOT validate the server certificate and connect to any network that allows it on.

Thanks, appreciate your responses, to confirmt the certificate isn't providing any access restrictions it is just a confirmation of the server,  hence 'Validate'. 

Do you know if authentication can be used with the certificate and user login if instead under PEAP properties - Selection Authentication Method - Smart Card or other Certificate is used with similar settings as would be used for Validate server certificate, or am I going down the wrong path. 

I looked at setting an additional radius network policy with conditions that a client was in AD group 'WiFi computers' with contraint Authentication Method - PEAP, EAP type Smart Card or other Certificate using certificate RadiusServer.domain.local

The second network policy would remain as the current user authentication.

---

@DL77 wrote:

Thanks, appreciate your responses, to confirmt the certificate isn't providing any access restrictions it is just a confirmation of the server,  hence 'Validate'. 

Do you know if authentication can be used with the certificate and user login if instead under PEAP properties - Selection Authentication Method - Smart Card or other Certificate is used with similar settings as would be used for Validate server certificate, or am I going down the wrong path. 

I looked at setting an additional radius network policy with conditions that a client was in AD group 'WiFi computers' with contraint Authentication Method - PEAP, EAP type Smart Card or other Certificate using certificate RadiusServer.domain.local

The second network policy would remain as the current user authentication.

 

---

On the wireless link, you cannot check a username AND a certificate at the same time.  You can only check one credential, and you can only configure your client to submit one credential (certificate OR username and password).  Also, when a user credential is submitted by the client, only rules that are relevant to that user and NOT the machine the user is on, can be used.  If I login as cjoseph, you cannot check to see if my computer is in the "wifi Computers" group.  This is a limitation of Microsoft's NPS server.

To accomplish what you want, you probably should use Machine Authentication.  In addition, you can layer on "Enforce Machine Authentication" on the Aruba Controller to get machine + user visibility.

Sorry for the delay.  Thanks again for clearing this up, I will look into this further about what to do.  Appreciate your help.