User EAP-TLS authentication for the first time

  • Thread starter Pavel Makovec (DHL IT Services)
  • Start date
P

Pavel Makovec (DHL IT Services)

Hi community,


we are trying to develop 802.1X authentication to the network (LAN and WLAN) using the native Windows supplicant. The recommendation for the internal security department is to use certificates from the authentication. Second requirement is to have a user identity when an user is on a corporate machine.


Machine and user certificates are auto-enrolled using GPO policy.

Then we've configured clients using the GPO policy to have the required settings (same on LAN and WLAN network), including certificate selection

- 802.1X auth credential: Machine or user credential

- EAP type: Smart Card or other certificate


Machine certificates are enrolled during the imaging process when a machine is online and joined to the AD.


The problem which we currently have is I would say chicken or the egg problem.

When a user is logging on the machine for the first time, there is no certificate for such user. From the observation, there is around 50% change that the user cert auto-enrollment is finished during logon on LAN. But on WLAN is't failing all the time.


We are looking for some option to extend the machine authentication session to provide more time for the user cert auto-enrollment when the user is visiting the machine for the first time.

Is there any simple way how to auto-configure the supplicant to use "Machine credential" mode only in the case where is no user certificate available. And then re-configure the supplicant to the "Machine or User credentials" mode when there is a user certificate?


Thanks

Pavel

Continue reading...
 
Back
Top Bottom