Header Only - DO NOT REMOVE - Extreme Networks

802.1x user authentication and Machine authentication via certificate

  • 31 May 2019
  • 3 replies

Userlevel 1
Hi All

I have configured a wifi SSID to autenticate user via 802.1x user credential by LDAP Microsoft, using a NAC appliance, where I have configured the below rule, that match a specific LDAP user group, and a specific SSID.

I need to authenticate user & machine in the same time, user via LADP credential and machine via certificate.

Someone could help me?

3 replies

Userlevel 5
Hi Claudio,

If you want to do user + machine authentication, native MS Windows supplicant will not allow you to do this as for now (only user OR machine authentication). This thing what you want is sometimes referred as EAP Chaining. It is reachable with 3rd party supplicant software like https://github.com/Amebis/GEANTLink (but mentioned as experimental). I'm not sure but maybe SecureW2 also enables devices for that. Maybe there are some others, of course besides Cisco's proprietary supplicant. ;)

I'm also curious if somebody here has some field-proven supplicant software example for this.

Hope that helps,
Userlevel 5
I would be interested in a supplicant also, as I've have customers that want certificate authentication for machines (EAP-TLS) and straight user login (PEAP) when logging in - although that isn't necessary, and a lot more secure and standards based to use certificates for both - no need for a custom / propitiatory supplicant then.

Although you can't do both at the same time, think I'm right in saying you can use both machine and user authentication in the manner requested, you just basically authenticate twice.

When the laptop connects to the network it will initially do machine based authentication, then when logging in it will then do user authentication - this is how I've configured it in the past.

This is based on using certificate base EAP-TLS authentication in both cases, so the supplicant doesn't need to change between different methods i.e. you can just use the windows native supplicant.

In both cases you can use LDAP to validate the authorisation allowed. The advantage to also doing user certificate based authentication (simplicity, security, and standards based aside) is that you can elevate policy roles based on the user logged in, whereas machine authentication is just based on the machine.

You can configure the windows client to log on first to initially pull down the client certificate to end-system so its portable whenever you log into any end-system that doesn't already have a user certificate in its local repository.

Hope that helps?
Userlevel 1
Thanks a lot to All