Security

Currently have our network up and running, but we're not enforcing machine authentication. On our Windows clients, we have user authentication, using smartcard. This, however, means a user could theoretically bring their own laptop with a smartcard, configure the wireless settings, and connect.

 

We recently just had auto certificate enrollment enabled in our domain, so now all our Windows clients have computer certificates.

We have security requirements dictating that ANY connection to the wireless here MUST use EAP-TLS certificate-based authentication.

 

What I'd like to do now, is enforce machine authentication. We would assign a role to authenticated/authorized machines allowing only domain traffic plus patching, scanning, etc. This authentication would occur at the Ctrl+Alt+Del screen without any user logon (i.e. computer boots up, and connects to the WLAN via machine authentication without any user intervention). Then, once the user does authenticate to Windows, the user auth happens on the WLAN via smartcard. Ideally this would not result in an IP address change; only the user role would change. This would then put the user in the authenticated role with full network access.

 

When I look at the Windows WLAN connection properties, however, I see that you may choose either "Use my smart card" or "Use a certificate on this computer"

 

So is it possible to use a computer certificate for the machine logon, and then the user's smart card for the user side of authentication? All with one WLAN profile?

You will need to go through the same process as user auth and configure a computer template to push the cert from ADCS and also create GPO to enabled user and computer authentication on the wireless profile ( before you do this you need to make sure all your devices already have a cert)



Thank you

Victor Fabian

Pardon typos sent from Mobile

Sounds easy enough. For now, I'm just using one machine for testing. It has a computer cert in the computer cert store. I configured a test VAP with essentially the same aaa settings; the only real difference is I've checked 'enforce machine auth'

 

However, when I try and connect, I get a message in Windows saying I need a certificate to login, and to contact my IT support.

 

I set up the wireless connection with WPA2-Enterprise with certificate auth. I haven't specified machine-only, as I need it to be able to handle both.

 

In our ACS, in the deny log for this machine authentication it lists one event: "Failed to negotiate EAP for inner method because EAP-MSCHAP is not allowed under PEAP configuration in Access Service."

 

I shouldn't be trying PEAP at all though, right? If I've set up Windows to only use certificate authentication, I should just be using EAP-TLS, or if it is using PEAP, EAP-TLS should be the inner method, right? It looks like the client is trying username/password with MS-CHAP, which would make sens why it's failing.

I’m not very familiar with ACS so not sure if it is requieres to enable enforce machine auth (this is typically use when authenticating against Windows NPS) but you need to make sure you have a machine cert and enable computer and user authentication

Try testing without enforcing machine auth and see if that helps but you may need to configure that on the ACS side



Thank you

Victor Fabian

Pardon typos sent from Mobile

Whoops. I responded to the wrong thread. I still need to do some testing on this one.