Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP-TLS user certificate race condition

This thread has been viewed 6 times

  • 1.  EAP-TLS user certificate race condition

    Posted Apr 17, 2019 08:41 AM

    Hi all,

     

    We've rolled out EAP-TLS authentication (moving away from EAP-PEAP) to our managed devices and all is working succesfully apart from one specific scenario, that is new users logging onto a laptop for the first time via wireless.  A search has shown that I'm not the only one to hit this and it's pretty much a race condition with Windows not having the user cert to get on the network, to get the cert it needs to get on the network.

     

    The SSID accepts both machine and user certificates for connection, so the observed behaviour is that Windows boots to login screen and connects using the machine cert.  It then uses this to contact domain controllers to authenticate but at some point shortly after, tries to switch to the user cert, fails as that's not present and doesn't just fall back to the machine cert (because that would be far too sensible).

     

    Of course to really confuse matters one in every three or four attempts actually works and the user cert is pulled from our AD and the machine happily switches over to using it.  So definitely seems like a race condition to me.

     

    My question is has anyone succesfully got past this?  The recommendation was always to revert to EAP-PEAP but we're trying to move away from it so that's not an option.  Did people find a magic windows setting?  Did people use a different supplicant to the Windows one?  Did they just give up and tell people to wire for their first login?

     

    Thanks in advance,

     

    Luke

     

     



  • 2.  RE: EAP-TLS user certificate race condition

    Posted Apr 17, 2019 09:23 AM
    Best approach is to set the profile to do Machine authentication only when doing certificate based authentication to prevent the issue you are experiencing









    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 3.  RE: EAP-TLS user certificate race condition

    Posted Apr 17, 2019 09:27 AM

    How I've actually got round it presently (although it's not the prettiest of solutions) is to have a secondary GPO pushed wireless profile that connects to the exact same SSID but only does machine certificate authentication.  Therefore if the user cert isn't present it falls back to this which enables the user cert to actually be pulled.  When the user next restarts it connects to the standard profile (higher priority in the GPO) which is set to use both computer and user certs.  It works but it feels hacky so I'm holding my breath that there's a nicer solution that still allows us to banish EAP-PEAP.