Security

Reply
Highlighted
Occasional Contributor II

Help me figure out to classify requests to these services with different EAP-TLS Methods?

I want to have 2 services that I'm having trouble figuring out how to classify the incoming requests to a service.

 

The called-station SSID is the same, the NAD IP and SSID etc are the same, so I am finding it difficult to classify the service.

 

The only difference between the services (why I need 2) will be that one uses the standard EAP-TLS method and the other uses a custom EAP-TLS method with "Authorization Required" unticked. This custom one is used to authenticate clients against Microsoft InTune as shown by Mitchell in this YouTube video. I tried adding both EAP-TLS methods to the same Service but got an error.

 

So in total I will have 3 types of devices connecting to this same SSID on same NAD:

Service #1

1. AD-managed device with username authentication against EAP-MSCHAPv2 and Active Directory as source

2. AD-managed device with certificate authentication against normal EAP-TLS and Active Directory as source

Service #2

3. InTune managed device with Intune Extension authentication against special EAP-TLS with "Authorization Required" unticked.

 

The way I have things set up currently I don't think I will ever see the request just 'fail-through' and match the next service in the list, because it is matching the first service despite the wrong Authentication Method.

 

Any ideas are welcome.

 

Highlighted
Contributor II

Re: Help me figure out to classify requests to these services with different EAP-TLS Methods?

Use a single service with PEAPv0/EAP-MSCHAPv2 and EAP-TLS with authorization disabled and handle any authorization logic in your enforcement policy. 

Highlighted
Occasional Contributor II

Re: Help me figure out to classify requests to these services with different EAP-TLS Methods?

Thanks I will try this and report back here.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: