Security

last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP-TLS, getting initial user certificate

This thread has been viewed 12 times

  • 1.  EAP-TLS, getting initial user certificate

    Posted Dec 06, 2019 11:03 AM

    This isn't so much an Aruba specific problem, but more design related. I have an Aruba wireless environment with Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template designed for wireless authentication. This all works great, except for the initial logon.

     

    My group policy tells Windows to logon to the SSID with user or computer certificate. All computers get a certificate when they are imaged on the wired network.

     

    In the case where a user has not logged into a computer before, they are successfully able to authenticate while the computer is on the wireless network authenticated as the computer. However, after the user profile loads, they are unable to connect to the SSID as they do not yet have a certificate on this computer.

     

    What is the best way to design this environment to enable users to logon to a computer for the first time on wireless, without having to get a user certificate with a wired network login first?

     

    I appreciate your time reading this and your thoughts, thank you.



  • 2.  RE: EAP-TLS, getting initial user certificate

    EMPLOYEE
    Posted Dec 06, 2019 11:07 AM

    My opinion:

     

    Configure the wireless profile GPO for Computer-Only.



  • 3.  RE: EAP-TLS, getting initial user certificate

    EMPLOYEE
    Posted Dec 06, 2019 11:08 AM
    Unfortunately this is due to OS limitations. The only option is to use Machine Auth only.


  • 4.  RE: EAP-TLS, getting initial user certificate

    Posted Dec 06, 2019 11:30 AM

    Has anyone attempted to use credential roaming? I was just reading up on it and think I'll give it a test.



  • 5.  RE: EAP-TLS, getting initial user certificate

    EMPLOYEE
    Posted Dec 06, 2019 12:11 PM

    I don't think it will solve anything as it runs in the user state.



  • 6.  RE: EAP-TLS, getting initial user certificate

    MVP EXPERT
    Posted Dec 06, 2019 02:03 PM

    The Computer certificate is enrolled by the GPO when the computer joined the AD. The User certificate is enrolled after the user logged in once.

     

    "This create an chicken-egg situation" to use user certficate authentication. Due to how Microsoft implement this.

     

    Thats why we advise to use only computer authentication.



  • 7.  RE: EAP-TLS, getting initial user certificate

    Posted Dec 06, 2019 03:20 PM

    It seems you are correct. My hope was since the cert is stored in the user object in AD it may be delivered prior to the computer auth giving up, but that was not the case.

     

    It seems I will need to make an adjustment for shared computers to not user-auth.

     

    Thank you all for the insight.



  • 8.  RE: EAP-TLS, getting initial user certificate

    EMPLOYEE
    Posted Dec 08, 2019 12:40 PM

    If you need user visibility, you can put the ClearPass OnGuard agent on the devices in auth only mode using Windows SSO. Auth Only mode does not require any OnGuard licensing in CPPM. This will provide overlay visibility into the logged in user.