Wireless Access

Contributor II

SSID with User- and Device-based authentication

Today my brain stopped working and now I need some external input.


A customer wants a SSID which checks for a device certificate and the group-membership for the user instead of the computers group membership.


All the computers have a certificate from a MS CA and the RADIUS is a MS NPS.


Right now the clients authenticate using the device-certificate and every domain computer is able to connect to the SSID (the clients are configured for EAP-TLS or EAP-PEAP w/ EAP-TLS)


How can I check the Username (or user certificate) as a 2nd factor?


Sven - AMFX #35
Guru Elite

Re: SSID with User- and Device-based authentication

You would need an advanced policy engine like ClearPass for something like this.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: SSID with User- and Device-based authentication

So the only option would be to check for the user-certificate, with the knowledge that only users on a AD registered machine would get a certificate, right?


To allow logon, the device also needs a device-certificate and the computer would switch the certificate/profile while a user is logging in.


Is this the correct thought?


Sven - AMFX #35
Frequent Contributor I

Re: SSID with User- and Device-based authentication

You can enable "Enforce machine auth" on 1x auth profile.

- default machine role = role machine (specific acl or logon)

- default user role = role user (specifi acl or logon)


and on AAA, 1x default role = Company user role (full access);

and then combine it with ServerGroup-Server Rule, to put specific group to specific user role.


This can be applied if all client are domain machine, for non-domain machine, it won't be authenticated at all.






Search Airheads
Showing results for 
Search instead for 
Did you mean: