Security

Hi,

I have three types of endpoints windows , MAcOS and Linux . In my EAP-TLS service I have authorization configured as Active Directory.

The point here is my windows machine are all part of domain but MAcOS and Linux are not.

However all three machines have CA issued certificate.

So within the same service can I skip AD check for MAcOS and Linux but do check for windows.

Disable authorization in the EAP method.

But that will disable it for windows as well which is what we don't want .

We want AD check for windows

You can still use AD data in the authorization phase of the service.

Sorry Tim for asking again.

But how does it work . This means authorization is optional if we disable it in eap-method.

We want to make it mandatory for windows but not for MAcOS and Linux so how it will be distinguished

The EAP method is just to check if a user exists. You can do that logic further in the process during role mapping or enforcement.

We are not using role mapping .

We have one rule configured which says

Machine authencated allow access profile.

Can you provide a guideline or some way how to
Make AD check mandatory for windows .

Are Windows clients using machine cert for authentication?

Is yes, you may try creating a new service copied from the existing one and add an additional service rule like below and allow authorization in the new service and disable in the existing service.

 

Authentication >> Full-Username >> CONTAINS >> host\

 

The new service should be ordered above the existing one to process auth requests from Windows Machine.

Hi Sarvanan,

 

Even if i create a new service on top of existing , the Linux and MACOS machines will still hit the first rule and not 2nd ??

Hi,

 

Can't the Windows Machine auth be distinguished from MAC and Linux authentication based on username?

 

Could you share your current service rules and sample authentication username (cert CN) from Windows vs MAC/Linux?