Security

We've been using User or Computer certificate to authenticate our users and computers for some time now. For several months our first time users would receive their user certificates fast enough that they would be able to remain connected from their initial connection using the computer certificate.

We are now seeing that our first time users are no longer receiving this certificate fast enough, and are being disconnected, unable to recieve the user certificate. Most of our computers are multi user devices, so now I need to make a choice to avoid this chicken and egg scenerio.

The visibility and ability to segment users based off roles is excellent from the user certificate side, but they wouldn't be able to sign in without being wired first. If I was to change to computer only certificate, this would work, but we'd lose some of the visibility.

If I were to change to computer only certificate is there a good method to get visiblity into the user AD information?

What solutions have others used for this scenerio?

Thanks

There is not a way to gain user visibility into a device when using computer-only certificates without severely hampering usability (e.g. captive portal after initial connection).

Unfortunately, computer-only is the only way out of the chicken-and-egg scenario.  This pretty much aligns the behavior and security posture of a multi-user wired computer.

Would you then using AD auditing and firewalling to change access on your east-west traffic?

AD auditing for us causes too much of a slow down, and we are't currently poised for east-west firewalling yet, only edge firewall currently.

I'm trying to investigate the best options for our micro segmentation in the short term.

What do you do for your wired multi-user Windows computers?

I haven't applied NAC to our wired users yet, I'm doing manual VLAN assignment right now, and letting AD do all the work. Just our wireless is using 1x, so cell phones and some laptops that aren't used in production. GPO is setup for user/computer certificates and authentication for all domain devices, but not used by most devices.

Wired NAC is being worked on currently, It's hard to get management to understand very high security reduces some accessibility, so I'm trying to give them the best of both worlds.

If user and computer is required, PEAPv0/EAP-MSCHAPv2 with a locked down supplicant is recommended.

If certs are an asbolute requirement, you can use computer only with a certificate and then use the OnGuard agent in auth only mode with Windows Single Sign-On to pass through the user session information.

I've been considering OnGuard for our non production computers, and having it deployed will be beneficial if/when we move to BYOD. I see the 2015 technote, but is there a document on deploying the OnGuard persistent agent with GPO I can reference, as well as through an MDM to our phones?

PEAPv0/EAP-MSCHAPv2 is a good solution, we've been wanting to use our existing certificate infrastructure as certs are considered generally more secure, but not necessarily manditory for us.

This workflow would only apply to Windows. macOS does not support Windows SSO and OnGuard does not run on mobile devices.

OnGuard is provided as a standard MSI so you can deploy with whichever tool you prefer.

Regarding PEAPv0/EAP-MSCHAPv2, the security risks are greatly reduced when the supplicant is managed via GPO or other EMM options.

I need a bit more help understanding some of the behaviour.

When setup on "user or computer authentication" the computer is authenticated and connected to the network prior to login. The first time user then signs in successfully. During sign in they are pushed their profile successfully, except for the user certificate. Why isn't the certificate pushed with GPO during this time frame, prior to windows changing to the user authentication side?

I thought it might be something like that.

I'd like to learn more about windows behaviour for this transaction, do you have any material I read on? I'm looking through technet right now for more details.