New Contributor

Two-stage authentication

Hi folks.


I´d like to implement a two-stage authentication (device and user).

My ideia is to authenticate devices based on digital certificates and authenticate users based on username/password.

Its possible to do this in a real world?

Anyone have experience with this kind of implementation or could indicate some documentation/guidelines to do this?




Aruba Employee

Re: Two-stage authentication

Basically, you want to terminate EAP-TLS (for certificates) and PEAP for username password. The controller cannot terminate both. You will need a RADIUS server with the ability to terminate both of these on a single SSID. Right now the best option for that is ClearPass Policy Manager.  This is a RADIUS server that terminate both and you can derive different roles (levels of access to your network) based on the AUTH.  E.g.. If a machine is authenticated via EAP-TLS but the user is not yet authenticated via PEAP then grant partial access to your network.  If both are methods are AUTHed then grant full access.  These are just examples - the roles that are derived based on level of AUTH are entirely customizable.  I would recommend working with your Aruba account team to learn more about this.


Re: Two-stage authentication



I'm not sure about other clients but, as far as I know, you can't do that with WZC. You can either use PEAP or EAP-TLS for both machine and user autentication, but you can't have EAP-TLS for machine auth and PEAP for user Auth.


If I'm wrong, please tell me how it would be done 'cause it's a nice thing to have.




Samuel Pérez


If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Guru Elite

Re: Two-stage authentication

ClearPass can tell if a "machine" authenticated before a user on the same device authenticated.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Employee

Re: Two-stage authentication

I would have to look into WZC.  But perhaps TLS + PEAP is overkill.  I just implemented at another customer machine authentication by checking for the existence of the machine account in AD.  If the account exists, the machine is authed and derives a certain level of access to the network.  Later when the user auth via PEAP and new role can be derived based on the fact that the machine and user both successfully authed.

Search Airheads
Showing results for 
Search instead for 
Did you mean: