Wireless Access

With Machine+User auth on WLAN there is a chicken and egg scenerio, where if a user hasn't connected to the domain on a device, then their user cert won't exist on the device yet, so they can't connect. They need to sign in to get the cert. I've done looking around and haven't seen any solid workaround outside of different authentication methods, but I had an idea I wanted some feedback on.

Is there a way to do Machine + user auth, but if the user Auth fails, allow limited access with machine auth so that the user certificate can be generated. The certificate is generated almsot instantly, so we can do a re-auth after a short time period (5s), with machine and user auth again.

 

I'm not sure if this is possible to set up, so I'm hoping to spitball ideas, and hear waht others have done for this situation.

Most organizations just use machine authentication with eap-tls.

 

The user still has to get into the machine and domain with domain credentials..  It mirrors the security of the wired network.

I've been considering moving to just machine auth with eap-tls. It would definitley make this easier for the multi user devices.

I'd still however like some enforcment policies to apply based on their AD memberships. Is there a way for clearpass to pick up the user info when they sign in to the domain (using their sign in credentials on initial login, or their user cert once generated)? I'm not sure how I'd get clearpass to detect that if it's possible.

Yes, you can use Computer + User and leverage attributes from each of them for policy evaluation.

 

Something to consider: It's generally not recommended to use EAP-TLS on AD joined machines if you want user based identity + machine authentication. A new user who logs in will not be able to connect to the network because the local machine does not have a copy of their user certificate. In this scenario, consider using PEAPv0/EAP-MSCHAPv2 with a properly configured supplicant via GPO.

You got it Tim, that's the current setup I have and the issue I'm trying to get around.

 

You suggest peapv0 or mschapv2. How would that deployment look from the users perspective? I've enjoyed EAP-TLS so far as it's seamless and requires nothing from the user, except for first time sign in on the occasinal multi-user device. If peap/mschap fills this problem while remaining seamless I'd love to hear more.

 

Using PEAPv0/EAP-MSCHAPV2 passes the users credentials through to the network. So for a brand new user, they won't have any issues since they entered their credentials at the login screen and thus passed through.

The problem with EAP-TLS in this environment is the computer will switch to the user context before it can download the user's cert.

This seems like something I missed that may have been better to deploy with. I'll get a test environment up and give it a go. 

For a user that is already signed in to the domain, and then changed connection to the WLAN, will they require entering in their credentials, or is it pulled automatically in PEAPv0/EAP-MSCHAPV2 request?

You also mentioned a properly configured supplicant via GPO. Do you mean the 802.1x settings pushed to these devices from GPO?

No, the credentials are passed from the Windows session. The user should never receive a login outside of the Windows login screen.

Yes, push the proper configuration  via GPO and lock users from changing them.