cancel
Showing results for 
Search instead for 
Did you mean: 

Authenticating with Username and Certificate

Authenticating with Username and Certificate

itmanager2
New Contributor

We have HM Virtual Appliance and AP250 and AP245X.

 

Due to unreliable WAN links I want to configure the APs onboard RADIUS to auth against local Microsoft Domain Controllers for AD joined computers. This I am confident I can do.

 

As a second requirement, I want to have iPhones auth using users AD credentials AND a Microsoft Certificate server issued Cert pushed to the iPhone by our existing MDM (MobileIron). This is to prevent non-managed devices joining and also discourage users sharing their password with visitors instead of asking their site admin for guest accounts to be created. 🙂

 

Has anyone done this before and have any notes on setting it up ?

 

Cheers

Ian

5 REPLIES 5

samantha_lynn
Esteemed Contributor III

It would essentially require two SSIDs for that set up. If we require a cert to be present on the client via TLS, then all clients would be subject to that requirement.

 

With the Radius cert you would need the CA Certificate file, the server certificate file, and the server key file. Unfortunately you'd have to ask your certificate authority about whether the certification includes the revocation list URL.

itmanager2
New Contributor

Hi Sam,

 

That would kinda mean a separate SSID for the phones, or I need certs for all the laptops as well.

Currently I allow the laptops by virtue of them being members of AD Workstation group - no certs required. I assume I can't have both options on the one SSID ? Not a dealbreaker, but obviously I would prefer to not have extra SSIDs if possible.

 

With the certs, what cert do I need on the RADIUS server ? Is it just a copy of the CA public cert so it can verify the client certs are signed by our CA ? I assume this cert has the CA's Cert revocation list URL in it so the RADIUS server can check our client's cert has not been revoked too ?

 

Thanks for your help !

 

Cheers

Ian

samantha_lynn
Esteemed Contributor III

Thanks for letting me know. Within the HiveManager you'll want to go to Configure> Open the Network Policy> Open the SSID> Open the Radius server object> Go in to the Extreme Networks Radius Server Object> Go to the security options tab> Install your certificate here> Check the box next to Check common name in certificate against the user for TLS authentication> Check the box next to TLS Authentication. This should require the Radius credentials, and that the client device has the certificate installed on it before authentication is allowed.

itmanager2
New Contributor

Hi Sam,

 

HM VA currently 12.8.3.1 but happy to update to current as I plan to anyhow.

 

That would be appreciated !

 

Cheers

Ian

GTM-P2G8KFN