This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

802.1x user authentication and Machine authentication via certificate

802.1x user authentication and Machine authentication via certificate

Go to solution
Claudio_D_Ascen
New Contributor III

‎05-31-2019 12:39 PM

Hi All

I have configured a wifi SSID to autenticate user via 802.1x user credential by LDAP Microsoft, using a NAC appliance, where I have configured the below rule, that match a specific LDAP user group, and a specific SSID.

I need to authenticate user & machine in the same time, user via LADP credential and machine via certificate.

Someone could help me?
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
JakubS
New Contributor

‎08-11-2021 08:31 AM

Hi Tomasz,

Thank you for your reply. I was talking about the EAP-TEAP with a vendor of our Extreme solutions. They contacted Extreme directly and found out that Extreme NAC does not support EAP-TEAP yet. However, it’s in their road map so hopefully someday…

 Nevertheless, there should be basically two workarounds. The first one is the one you’re describing in your previous post. I can be done either manually or using the workflow you provided.

The second one is to create two rules. First for machine certificate authentication and second one for identity authentication (credentials in AD). For this option you need to set your Windows supplicant for EAP-TEAP authentication, but I was told, that it does not work very well. However, I haven’t tried it myself, so who knows, it may be the way.

I’m not an expert in AD/GPO myself, but I don’t believe that there is a “user-friendly” solution. And even if it was, I would like to assign different VLANs to different groups of users, which wouldn’t be possible, right? The NAC would just let the machine to the network, but I’d have to have a user certificate (which I don’t have) to assign a specific VLAN. With machine certificate only, the NAC would know that the machine is from our company, therefore let it in, but wouldn’t know which user uses it, so I can’t create any user group.

 

Regards,

Jakub

View solution in original post

0 Kudos
12 REPLIES 12

Go to solution
Claudio_D_Ascen
New Contributor III

‎06-07-2019 07:50 AM

Thanks a lot to All
0 Kudos

Go to solution
Anonymous
Not applicable

‎06-03-2019 09:50 AM

I would be interested in a supplicant also, as I've have customers that want certificate authentication for machines (EAP-TLS) and straight user login (PEAP) when logging in - although that isn't necessary, and a lot more secure and standards based to use certificates for both - no need for a custom / propitiatory supplicant then.

Although you can't do both at the same time, think I'm right in saying you can use both machine and user authentication in the manner requested, you just basically authenticate twice.

When the laptop connects to the network it will initially do machine based authentication, then when logging in it will then do user authentication - this is how I've configured it in the past.

This is based on using certificate base EAP-TLS authentication in both cases, so the supplicant doesn't need to change between different methods i.e. you can just use the windows native supplicant.

In both cases you can use LDAP to validate the authorisation allowed. The advantage to also doing user certificate based authentication (simplicity, security, and standards based aside) is that you can elevate policy roles based on the user logged in, whereas machine authentication is just based on the machine.

You can configure the windows client to log on first to initially pull down the client certificate to end-system so its portable whenever you log into any end-system that doesn't already have a user certificate in its local repository.

Hope that helps?
0 Kudos

Go to solution
Tomasz
Valued Contributor II

‎06-01-2019 05:53 PM

Hi Claudio,

If you want to do user + machine authentication, native MS Windows supplicant will not allow you to do this as for now (only user OR machine authentication). This thing what you want is sometimes referred as EAP Chaining. It is reachable with 3rd party supplicant software like https://github.com/Amebis/GEANTLink (but mentioned as experimental). I'm not sure but maybe SecureW2 also enables devices for that. Maybe there are some others, of course besides Cisco's proprietary supplicant. 😉

I'm also curious if somebody here has some field-proven supplicant software example for this.

Hope that helps,
Tomasz
0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN