Extreme Networks

David_Nelson · ‎11-12-2020

I am upgrading wireless for a site where one SSID is configured to allow AD joined computers to connect automatically using certificate based 802.1x authentication. This has been working great and they are happy with the setup, so I am not dead set on changing it… however it is a little more complex to setup and maintain than just letting the AD computers connect using their AD computer accounts. I have implemented the latter for a few client’s and it also works really well, is easier to setup, and doesn’t break if the sites PKI goes haywire.

So my question is then, is authenticating with a certificate provisioned to the AD computer from AD CS any more secure than just authenticating with the AD computer account?

Environment details:

NPS on Server 2016

Mostly Windows 10 Clients, with a few Win 7

All Domain Joined

Wireless Platforms: EIQ, and Identifi

Ovais_Qayyum · ‎11-12-2020

Hi David,

This is more like comparing EAP-TLS with PEAP-MSCHAPv2. The process for EAP-TLS involves enrolling for and installing a digital certificate, and both protocols require server cert validation configuration in order to remain effective against over-the-air credential theft attacks.

With PEAP-MSCHAPv2, the user must enter their credentials to be sent to the RADIUS server that verifies the credentials and authenticates them for network access. EAP-TLS utilizes certificate-based authentication (computer or user certs). Rather than sending credentials to the RADIUS Server over-the-air, credentials are used for a one-time certificate enrollment, and the certificate is sent to the RADIUS server for authentication. Over the course of the user’s lifetime with the organization, being able to auto-authenticate without having to memorize a password or update due to a password change policy is a huge benefit to the user experience.

While the information exchanged between the client device, Access Point (AP), and RADIUS server may be different between EAP-TLS and PEAP-MSCHAPv2, they both undergo a TLS Handshake. This is the communication process in which the server and client exchange identifying information. The two sides will verify one another’s identity, establish encryption algorithms, and agree on session keys to securely authenticate to the network.

The primary difference to highlight between the authentication processes is the number of steps involved. The EAP-TLS process has almost half as many steps to authenticate. On an individual authentication basis, this is an extremely short amount of time difference. For a single authenticating user, the difference is nearly imperceptible. Where this difference of steps comes into play is during the event of a large authentication event.

Comparing the security risks of certificate-based authentication and credential-based authentication proves that certificates are far more secure than credentials. From an identity standpoint, credentials are not reliable. Certs can’t be transferred or stolen because they are linked to the identity of the device and user; meanwhile, stolen credentials can be used without a method for identifying if the authenticated user is actually who they claim to be.

Regards,

Ovais

View solution in original post

David_Nelson · ‎11-13-2020

Thank you for the detailed write-up! This is great!

Ovais_Qayyum · ‎11-12-2020

Hi David,

This is more like comparing EAP-TLS with PEAP-MSCHAPv2. The process for EAP-TLS involves enrolling for and installing a digital certificate, and both protocols require server cert validation configuration in order to remain effective against over-the-air credential theft attacks.

With PEAP-MSCHAPv2, the user must enter their credentials to be sent to the RADIUS server that verifies the credentials and authenticates them for network access. EAP-TLS utilizes certificate-based authentication (computer or user certs). Rather than sending credentials to the RADIUS Server over-the-air, credentials are used for a one-time certificate enrollment, and the certificate is sent to the RADIUS server for authentication. Over the course of the user’s lifetime with the organization, being able to auto-authenticate without having to memorize a password or update due to a password change policy is a huge benefit to the user experience.

While the information exchanged between the client device, Access Point (AP), and RADIUS server may be different between EAP-TLS and PEAP-MSCHAPv2, they both undergo a TLS Handshake. This is the communication process in which the server and client exchange identifying information. The two sides will verify one another’s identity, establish encryption algorithms, and agree on session keys to securely authenticate to the network.

The primary difference to highlight between the authentication processes is the number of steps involved. The EAP-TLS process has almost half as many steps to authenticate. On an individual authentication basis, this is an extremely short amount of time difference. For a single authenticating user, the difference is nearly imperceptible. Where this difference of steps comes into play is during the event of a large authentication event.

Comparing the security risks of certificate-based authentication and credential-based authentication proves that certificates are far more secure than credentials. From an identity standpoint, credentials are not reliable. Certs can’t be transferred or stolen because they are linked to the identity of the device and user; meanwhile, stolen credentials can be used without a method for identifying if the authenticated user is actually who they claim to be.

Regards,

Ovais

Extreme Networks

802.1x Certificate Auth vs. AD Computer Auth from a security standpoint?

802.1x Certificate Auth vs. AD Computer Auth from a security standpoint?