Security

I have had good success using PEAP in Windows environments. We do machine auth at boot or logoff, and do user auth when the user logs on and upgrade their role. Very useful to keep a machine online when no user is logged in, and also supports different users on the same machine. And very easy to deploy using a generic windows xml - since the user credentials don't need to be stored it doesn't need to be customised for each user.

 

I now have a customer asking if a similar arrangement is somehow possible using certificates (EAP-TLS). Can we somehow do a machine level auth with certs, and then still do user auth with certs? 

Yes you can. And the certificate deployment can be automated using Group Policy with ADCS. 

So how does this work, do you need a separate certificate for machine auth and user auth?

How do you handle multiple users using one laptop, wouldn't that require a different wireless profile for each user since it points to a different cert?

No the certificates can be issued to users and computers automatically and just like username/password authentication, the group policy network profile switches between user and computer authentication.

The certificate is simply a password. The Windows username is still used.

So is this assuming an OnBoard environment? This customer has a MobileIron environment so they are not using Clearpass for OnBoard only Policy Manager/Guest. 

 

I am not convinced certificates offer any additional security in this situation, but if can be done as seamlessly as PEAP, it may be worthwhile. But still getting my head around how this would work..

 

No, onboard is not necessary. You can use Active Directory’s certificate services.

In a completely Windows AD environment where the 802.1X configuration is pushed out via group policy and the end user can’t change it, you won’t gain much with certificates.

Certificates are big with BYOD where supplicants often aren’t configured correctly and can expose user passwords in a MiTM attack and with BYOD, best practice is to give the device its own credential.

 

 

http://technet.microsoft.com/en-us/library/cc731564.aspx

Thanks, that was my thinking as well.

 

One reason I hear for certificates is to not store AD credentials locally. But with windows when PEAP uses the logon credentials to authenticate, well they are not stored or distributed in the wireless profile, they're given at logon, so I would think the password is only locally cached in the same manner that Windows does regardless. 

 

For BYOD it makes perfect sense to have certs for a few reasons.

 

I think there's some debate over whether PEAP is inherently more secure than EAP-TLS anyway.

BGC IT, 

 

For your reference, we see most environments that use EAP-TLS for security, we see them using machine-only certificates with EAP-TLS, so that only devices with enterprise-issued certificates can get onto the network.  The user has to login to windows successfully on top of that with their AD username and password, so it results in a two-factor authentication.  The user credentials are never used to access the wireless; only the machine's distributed certificate.

 

Hi CJ, 

Does this scenario prevent you changing role when the user logs in?

 

BGC IT,

 

The user would not be involved in the wireless authentication; only the machine.