Hi Guys,
I have a client who wants to enforce the use of corporate devices (Windows 7) on a particular SSID using IAPs and CPPM.
We're currently solving this using Machine Authentication on the devices, followed by EAP-PEAP for User Authentication - in CPPM we don't allow the user auth to be accepted unless the device MAC Address is already assigned a specific Machine Authentication role.
This works fine, however the Machine authentication is pretty weak - eg: it's pretty much the Machine Name being sent and validated by Active Directory.
What we'd like is to validate the Machine Auth via EAP-TLS and then the User via EAP-PEAP, and again only allow the user in if their MAC is already an authenticated machine.
I am painfully aware that the Windows 7 supplicant is not capable of performing these two different EAP methods on both Machine and User auth, however I was wondering what alternative supplicants people are using/recommend for this task?
I have had a look at:
XSupplicant - Free, but doesn't seem to install on Windows 7, so unsure if it can do the above
Juniper Odyssey - Licensed, supports dual EAP methods
Cisco Anyconnect - Licensed, unsure if it supports dual EAP methods
others?
Cheers,
Ben