Help me figure out to classify requests to these services with different EAP-TLS Methods?
05-28-2020 08:09 PM
I want to have 2 services that I'm having trouble figuring out how to classify the incoming requests to a service.
The called-station SSID is the same, the NAD IP and SSID etc are the same, so I am finding it difficult to classify the service.
The only difference between the services (why I need 2) will be that one uses the standard EAP-TLS method and the other uses a custom EAP-TLS method with "Authorization Required" unticked. This custom one is used to authenticate clients against Microsoft InTune as shown by Mitchell in this YouTube video. I tried adding both EAP-TLS methods to the same Service but got an error.
So in total I will have 3 types of devices connecting to this same SSID on same NAD:
1. AD-managed device with username authentication against EAP-MSCHAPv2 and Active Directory as source
2. AD-managed device with certificate authentication against normal EAP-TLS and Active Directory as source
3. InTune managed device with Intune Extension authentication against special EAP-TLS with "Authorization Required" unticked.
The way I have things set up currently I don't think I will ever see the request just 'fail-through' and match the next service in the list, because it is matching the first service despite the wrong Authentication Method.
Any ideas are welcome.
Re: Help me figure out to classify requests to these services with different EAP-TLS Methods?
05-28-2020 08:55 PM
Use a single service with PEAPv0/EAP-MSCHAPv2 and EAP-TLS with authorization disabled and handle any authorization logic in your enforcement policy.