Wireless Access

last person joined: 11 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

EAP-TLS User or computer authentication in windows 7

This thread has been viewed 530 times

  • 1.  EAP-TLS User or computer authentication in windows 7

    Posted Mar 02, 2015 05:53 PM

    Hello guys,

     

    I have a question regarding EAP-TLS authentication in windows 7.

     

    We have students connecting to our network with domain computers.

    Sometimes, the teachers for different reasons wants to block the students Internet connection.

    The teachers has a web-interface where they can choose which students/class they want to block, and then they are moved to an active directory group (“CLOSE-INTERNET”). Today we achieve this with a proxy server and active directory, where all clients has to authenticate with their domain credentials.

     

    Now we want to move away from using a proxy, and make aruba clearpass and aruba mobility controller do this job.

    To achieve this, we have configured the student computers to authenticate with 802.1x “User or computer authentication”, and we are deploying machine and user certificates through group policy and a windows certificate authority server. This way we can see which user is logged on the computer on the AMC, and the computer endpoint has the correct username attribute in clearpass. So far so good.

     

    After testing this for a while, I see that users that logs on the computer for the first time gets disconnected from the network after logging into windows. I was thinking the user certificate was deployed when the user was logging on to windows, but this does not work. The computer gets online after it boots up, some seconds after the user has typed in the credentials and pushed enter (using the machine certificate), then it suddenly drops the connection, because the group policy is set to switch to user certificate.

     

    Has anyone else experienced this problem, and solved it? Is it even possible?

    Does anyone have a workaround?

     

    I know it will work if we put the pc on a non 802.1x switchport, and have the user log on, but with over 10000 students and very few switchports, that is not a good enough solution.

     

    I appreciate any help on this!



  • 2.  RE: EAP-TLS User or computer authentication in windows 7

    EMPLOYEE
    Posted Mar 02, 2015 05:55 PM
    Do you see the user authentication request in ClearPass?


    Thanks,
    Tim


  • 3.  RE: EAP-TLS User or computer authentication in windows 7

    Posted Mar 02, 2015 06:00 PM

    No, the user has nothing to authenticate with, so there is no request in clearpass



  • 4.  RE: EAP-TLS User or computer authentication in windows 7

    EMPLOYEE
    Posted Mar 02, 2015 06:23 PM
    After login, can you confirm that there is a user certificate in the user's cert store?


    Thanks,
    Tim


  • 5.  RE: EAP-TLS User or computer authentication in windows 7

    Posted Mar 03, 2015 03:52 AM

    No, there is not a user cert in the users certificate store, that is the main problem here; the authentication method is switched from computer to user before a user certificate is issued.



  • 6.  RE: EAP-TLS User or computer authentication in windows 7
    Best Answer

    EMPLOYEE
    Posted Mar 03, 2015 07:41 AM

    Armyboy,

     

    It is not advised to use eap-tls with user authentication for multi-user devices due to the chicken and egg scenario that you are now experiencing.  New users who have never logged in will not have a certificate, because their connection depends on a certificate they do not have yet.  The distribution of that certificate also relies on a user connection that cannot be completed without a certificate. You should use eap-peap instead in an environment with multi-user devices.

     

    I would say use machine-only authentication with eap-tls, but the user authentication would not be seen or recorded in clear pass and the teacher would not be able to differentiate users.



  • 7.  RE: EAP-TLS User or computer authentication in windows 7

    Posted Mar 03, 2015 01:13 PM

    Thank you  for clarifying that cjoseph.

     

    What do you think about the following workaround:

    We have two SSID, one with computer and user authentication (EAP-TLS), and one (hidden?) with computer only.

    If the client doesnt have a user certificate, it will connect to the computer auth SSID, and stay there until it has received the user certificate from the CA. Then when the client has what he needs to use the computer and user auth SSID, it will reconnect to it.

    I think this would be possible to do with group policy, but I will have to test it in my lab.

     

    Any thoughts on this solution?



  • 8.  RE: EAP-TLS User or computer authentication in windows 7

    EMPLOYEE
    Posted Mar 04, 2015 07:57 AM

    Armyboy,

     

    It would not work that way.  There is now way for the infrastructure to force a computer to go from one SSID to another.  Having two SSIDs makes it too complicated.  I would just use machine-only authentication if you absolutely need to use eap-TLS.

     



  • 9.  RE: EAP-TLS User or computer authentication in windows 7

    Posted Jun 08, 2015 05:44 AM

    This was the final solution for this problem:

     

    In the windows group policy:

    Enable single sign-on for this network

    Perform immediately before user logon

    Max delay for connectivity: 60 seconds

     

     

    On the controller I changed the following settings:

    Number of times ID-Requests are retried          

    From 5 to 10

    Maximum Number of Reauthentication Attempts

    From 3 to 10

    Quiet Period after Failed Authentication

    From 30 to 5 sek

     

    This has been in production for about two months now, and is working well. In most cases the user gets the user certificate while connecting with the machine certificate, sometimes the computer has to be restarted to make it work.