Security

Hi folks.

I´d like to implement a two-stage authentication (device and user).

My ideia is to authenticate devices based on digital certificates and authenticate users based on username/password.

Its possible to do this in a real world?

Anyone have experience with this kind of implementation or could indicate some documentation/guidelines to do this?

Regards.

Ricardo.

Basically, you want to terminate EAP-TLS (for certificates) and PEAP for username password. The controller cannot terminate both. You will need a RADIUS server with the ability to terminate both of these on a single SSID. Right now the best option for that is ClearPass Policy Manager.  This is a RADIUS server that terminate both and you can derive different roles (levels of access to your network) based on the AUTH.  E.g.. If a machine is authenticated via EAP-TLS but the user is not yet authenticated via PEAP then grant partial access to your network.  If both are methods are AUTHed then grant full access.  These are just examples - the roles that are derived based on level of AUTH are entirely customizable.  I would recommend working with your Aruba account team to learn more about this.

Hello

I'm not sure about other clients but, as far as I know, you can't do that with WZC. You can either use PEAP or EAP-TLS for both machine and user autentication, but you can't have EAP-TLS for machine auth and PEAP for user Auth.

If I'm wrong, please tell me how it would be done 'cause it's a nice thing to have.

Regards

ClearPass can tell if a "machine" authenticated before a user on the same device authenticated.

I would have to look into WZC.  But perhaps TLS + PEAP is overkill.  I just implemented at another customer machine authentication by checking for the existence of the machine account in AD.  If the account exists, the machine is authed and derives a certain level of access to the network.  Later when the user auth via PEAP and new role can be derived based on the fact that the machine and user both successfully authed.