Security

We have a deployment with a very tight budget so I had to fall back to using NPS under Windows Server 2012 for the RADIUS service.

I have configured EAP-TLS using the Microsoft Certificate Auto-enrolment service\domain based CA and BYOD utilises a certificate from a public CA.

The NPS rules are as follows:

1.  EAP-TLS\domain computer cert = machine auth role

2.  EAP-TLS\staff cert = staff role

3.  EAP-TLS\contractor cert = contractor role

4.  PEAP\staff AD account = staff BYOD role

5.  PEAP\contractor AD account = contractor BYOD role

The issue I am having is that staff members and contractors using their personal laptops, so they don't have a user certificate issued by the Microsoft Certiificate Auto-enrolment service, are being incrorrectly assigned a staff/contractor role rather than a staff BYOD/contractor BYOD role.

Has anybody seen this issue?

Then you should create AD accounts for contractors and put them in an AD group.  You should then make them use PEAP.

Thanks for the quick reply Colin.

The contractors are in a unique AD group.

The issue I have is that I need to match contractors with a domain device into one role and contractors on their own laptops into another role.  What is confusing me is how a contractor on their own laptop (so no client certificate to match the EAP-TLS rule) can be assigned the contractor (contractor on a domain device) role.

Unfortunately,  Nsince S cannot provide differentiated responses based on machine AND user,  you probably need to use "Enforce Machine Authentication" on the controller to provide different roles based on:

- If only a user passes authentication

- If a user and machine passes authentication

- If if only a machine passes authentication.

A significant limitation of Enforce Machine authentication is  if a device does not pass machine authentication, you can only give them a single role.  if they pass user AND machine authentication, you can give them multiple roles.  It essentially puts people who are on devices that do not pass machine authentication into a single bucket, and users who are on domain machines in a separate bucket.

http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/802.1x/Configuring_802_1x_Authe.htm?Highlight=enforce machine authentication

Does the WLC support having mutiple <machine auth> + <user suth>=<role> rules?  For example:

• <machine auth> + <staff AD account> = staff role
• <machine auth> + <contractor AD account> = contractor role
• <machine auth> + <xxxxx AD account> = xxxxx role

What interests me about this is that the NPS does not appear to be able to distinguish between an EAP-TLS rule with a sever certificate signed by a domain CA and a PEAP MSCHAPv2 rule with a server certificate signed by a public CA.

Yes it does.  If a devices passes both user and computer, you can write a derivation rule.

If it only passes computer, it gets the dot1x Enforce Machine Authentication Role

If it only passes user authentication, it gets the dot1x Enforce Machine Authentication User role.

A device must pass BOTH to do any type of user derivation.  All devices that pass either are limited to a single role.

The current NPS rules are as follows:

1. [EAP-TLS] Domain Computer = Machine_Auth role
2. [EAP-TLS] Staff AD Group = Staff role
3. [EAP-TLS] Contractor AD Group = Contractor role
4. [PEAP] Staff AD Group = Staff_BYOD role
5. [PEAP] Contractor AD Group = Contractor_BYOD role

The certificates for EAP-TLS authentication are "distributed" via the Microsoft Certificate Auto-enrolment process so should only be on domain devices.  Therefore BYOD devices should only ever match the [PEAP] rules.

What we are experiencing is that a contractor on their own laptop, for example, will fail machine authentication (so far so good) but somehow the NPS server matches the contractor using rule #3 (even though the contractor's laptop does not have the user certificate for EAP-TLS) and returns the RADIUS attributes for the Contractor role.

I looked into the machine authentication role assignment functionality of the Aruba WLC but I couldn't get the five rules previously described configured.

Has anybody else seen this?  Is this a limitation of NPS?

Crowdie,

NPS is too limited to combine EAP-PEAP and EAP-TLS without jumping through hoops.  Even if you get it working, if you want to make changes later, you need to jump through more hoops.  NPS is just not a world-class policy engine, so do not expect to have 5 scenarios with mixed EAP types and expect NPS to handle it.  Your best best is probably to have your domain devices do 802.1x and any other devices (contractors, employees with their own devices) go through the Captive Portal....

I am saying this because getting it working is just the beginning....training employees and contractors to get their devices on a 802.1x network is the other liability with this plan.  

Save your time and just have non-company devices go through the captive portal, because NPS is not rich enough as a policy engine to tie domain machines together with who is logging into them.