Security

Reply
Occasional Contributor I

Can a user have a certificate or does only a machine have a certificate?

If say you want to set up a PKI and use EAP-TLS to authenticate all users and computers.

 

A computer's certificate is stored on that computer. But how can a user have a certificate? Where is it stored? What if a user logs in from another computer, how will he provide his certificate for client authentication?

Guru Elite

Re: Can a user have a certificate or does only a machine have a certificate?

There is a system cert store and a user store. Machine certs are stored in the system store and user certs are stored in the user store.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Can a user have a certificate or does only a machine have a certificate?

Guru Elite

Re: Can a user have a certificate or does only a machine have a certificate?

In practice, it is worse than that...  Typically user certificates are only distributed via group policy when that user logs in successfully via a wired computer.  The user would have had to login to a wired computer to even have the certificate distributed to the user's profile before using it wirelessly.  That is why many secure environments only have wireless eap-tls with machine certificates and machine-only wireless authentication...  Having a multi-user device with wireless user certificates is a headache to provision in practice for multiple user.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor I

Re: Can a user have a certificate or does only a machine have a certificate?

Thank you 

Guru Elite

Re: Can a user have a certificate or does only a machine have a certificate?

The machine cert is unique per device. The user cert is downloaded into the user cert store after the user logs in. This can cause complications when using machine + user authentication because the first time a user authenticates, the certificate is not available until after the login process completes.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Can a user have a certificate or does only a machine have a certificate?

Guru Elite

Re: Can a user have a certificate or does only a machine have a certificate?

For the network, yes. To use a certificate to log on to the machine itself, you'd need to use a smartcard.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: