We intend to deploy machine?s certificate authentication for wifi users.
We want to check certificate validity of the machine, and also that the machine is included on the windows domain.
We intend to use EAP-TLS :
- One CA server.
- each machine (laptop) retrieves its own certificate from GPO or SMS
- the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)
- ACS version is the appliance one
- one ACS remote agent installed on the A.D.
- when a user intends to log on the wifi network :
- the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .
- the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).
Am I right about these previous points ?
And then my question is : is it possible to check that the machine is also included in the windows domain ?
That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.
Thanks in advance for your attention.
You are right.
Once Remote Agent is configured properly. And clients are configured properly.
It will work the way you want it to.
One more option to consider,
Also check "Enable machine access restrictions"