dcarr25
asked on
Wireless 802.1X authentication, user and computer authentication
Hi community,
I work for a very large multi-national company that has a significant investment in Microsoft technology for its directory service and uses HPE Clearpass for wireless authentication.
We operate a predominantly wireless environment using EAP-TLS as the authentication method. We currently only use 'computer authentication' to authenticate a device to the network. I would like to use 'computer and user' authentication for a number of reasons. One is that we typically don't revoke machine certificates and two, the users show up in our infrastructure as the hostname and not username, so it makes it difficult to troubleshoot.
I'm told that the reason for this is because when a machine is built by the build team it is built, then joined to the domain. The machine then gets a computer certificate. At this point the machine is issued to the user. If we have 'computer and user' authentication specified we see the machine getting occasionally dropped from the network and as such we have to revert back to just computer authentication.
I was wondering if anybody had any experience with a process similar to ours above. We use EAP-TLS with certs on both the client and the HPE Clearpass server, with the correct chains on each.
Thanks
I work for a very large multi-national company that has a significant investment in Microsoft technology for its directory service and uses HPE Clearpass for wireless authentication.
We operate a predominantly wireless environment using EAP-TLS as the authentication method. We currently only use 'computer authentication' to authenticate a device to the network. I would like to use 'computer and user' authentication for a number of reasons. One is that we typically don't revoke machine certificates and two, the users show up in our infrastructure as the hostname and not username, so it makes it difficult to troubleshoot.
I'm told that the reason for this is because when a machine is built by the build team it is built, then joined to the domain. The machine then gets a computer certificate. At this point the machine is issued to the user. If we have 'computer and user' authentication specified we see the machine getting occasionally dropped from the network and as such we have to revert back to just computer authentication.
I was wondering if anybody had any experience with a process similar to ours above. We use EAP-TLS with certs on both the client and the HPE Clearpass server, with the correct chains on each.
Thanks
ASKER
Hi Jakob,
Thanks for taking the time to respond to my query.
What you have described is exactly the problem we are experiencing, that is to say there is no user certificate on the device when it is issued to the user, apologies this was not clear in my problem description. What in your experience do people do for such scenarios as we would like to use both (user and computer authentication). Would it be that the device has to be connected to the wired LAN first to have the user logon and download the certificate to the user certificate store?
We are heavily invested in both Aruba and Cisco, predominantly the former.
Thanks for taking the time to respond to my query.
What you have described is exactly the problem we are experiencing, that is to say there is no user certificate on the device when it is issued to the user, apologies this was not clear in my problem description. What in your experience do people do for such scenarios as we would like to use both (user and computer authentication). Would it be that the device has to be connected to the wired LAN first to have the user logon and download the certificate to the user certificate store?
We are heavily invested in both Aruba and Cisco, predominantly the former.
there's not many choices - if you decide to go with machine + user - which I like, for the first logon, you need to be connected to wired LAN, or a psk or open network with connection limited to only AD and a PKI server. The first option will undoubtly be the most secure
You could just switch to peap instead of EAP. Assuming your computers are on a domain, peap logs computers in with their computer domain credentials instead of a certificate. That way you can keep using computer authentication, which in my opinion is the best way to go, and you don't have all the issues with certificates like disconnects and certificate renewals. We use peap for both our wired and wireless 802.1x authentication and it works great.
@AndyBartkiewicz - PEAP works like a charm. However - there's no limit to how many devices a user bring to the table, and log on to the wireless. An employee can his user account for getting muliple PCs, tablets and phones logged on user the same user account
ASKER
@AndyBartkiewicz - thanks for the feedback. Unfortunately our security policy mandates the user of both client and server certificates for authentication. We also have to ensure that those devices accessing the network are corporate issued devices.
@jakob, not if you use computer authentication which is what I recommend. Then only domain registered devices can get on wireless. @dcarr25, if that's your corporate policy then it is what it is, but you can certainly make sure only corporate owned devices get online with PEAP. what we do is setup computer authentication for our domain registered devices and disable the ability of our users to log into wired/wireless with their domain accounts. As for tablets and other corporate devices that can't register to the domain we use a service account to log them into the network and don't give those credentials to users. Obviously the choice is yours, but I think you are making your life much more difficult by using certificates with no real benefit.
@AndyBartkiewicz: With computer auth you can, but the asker wanted to user computer AND user auth, and as long as you enable user auth on your RADIUS server - even if it is planned to be used in conjuction with computer auth, you'll allow any device to authenticate using PEAP-MsChapV2 - and user authentication. If you do this on a Windows device, you won't get connected until after user have logged in - but you'll get connected still.
When it comes to certs (PEAP-TLS) and user/pass (PEAP-MsChapV2) there's one thing you can't look away from. User/Pass is something you know, which is transferrable, certificate is something you have and - done properly (no export) can't be transferred or faked.
I'd choose certs any day - over mschapV2.
When it comes to certs (PEAP-TLS) and user/pass (PEAP-MsChapV2) there's one thing you can't look away from. User/Pass is something you know, which is transferrable, certificate is something you have and - done properly (no export) can't be transferred or faked.
I'd choose certs any day - over mschapV2.
@jakob, I don't think you read my comment, you have to disable the ability of users to authenticate to radius, so no they can't connect any device they want. But if you prefer certificates that's fine, I just don't think you gain anything by using them, so they aren't worth the trouble.
@andy --- i read your comment of disabling user account, but the question in origin is how he can have computer AND user authentication combined.
we agree to disagree :)
we agree to disagree :)
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
the computers should work with user and machine authentication, however - this is how it works
Before logon - the machine is authenticated - when user log on it switches to user authentication, and reverts back to machine when user logs off.
The problem would be with certificate issue and/or renewal. The computer have a valid cert and is authenticated before logon - when user logs on, either without cert or with a expired cert - the connection breaks as users have no certificate - and since connection is broken, there's no way to enroll for certificate - other than using wired connection (without 802.1X) or a PSK network.
But once certs are enrolled - there should be no problems. As for renewing of certs - if you configure certificate template for renewal 6 months before the old one expires, users should always have a valid certificate before the old one expires.
But for the intermittent disconnects - that shouldn't be any problem with machine and user auth. But can be reauthentication timers or authentication errors. The Clearpass has extensive logging through its monitoring pages - try to see if you see any errors in user auth.
Which wireless are you using - if I may ask?