@DL77 wrote:
Thanks, appreciate your responses, to confirmt the certificate isn't providing any access restrictions it is just a confirmation of the server, hence 'Validate'.
Do you know if authentication can be used with the certificate and user login if instead under PEAP properties - Selection Authentication Method - Smart Card or other Certificate is used with similar settings as would be used for Validate server certificate, or am I going down the wrong path.
I looked at setting an additional radius network policy with conditions that a client was in AD group 'WiFi computers' with contraint Authentication Method - PEAP, EAP type Smart Card or other Certificate using certificate RadiusServer.domain.local
The second network policy would remain as the current user authentication.
On the wireless link, you cannot check a username AND a certificate at the same time. You can only check one credential, and you can only configure your client to submit one credential (certificate OR username and password). Also, when a user credential is submitted by the client, only rules that are relevant to that user and NOT the machine the user is on, can be used. If I login as cjoseph, you cannot check to see if my computer is in the "wifi Computers" group. This is a limitation of Microsoft's NPS server.
To accomplish what you want, you probably should use Machine Authentication. In addition, you can layer on "Enforce Machine Authentication" on the Aruba Controller to get machine + user visibility.