EAP-TLS - Is this just for computer (device) auth, or AD logon?

kfarrington · ‎04-03-2008

Guys,

Can you use EAP-TLS to actually supply a username and password to a domain controller, or is it just for computer device authentication.

Ie,

Client and server has cert

1. Client boots up (pre winlogon.exe) and TLS exchange happens with Radius/ACS for the device.

2. Now computer is registered with domain, user now logs into MS domain?

So on step two, the device can speak directly to the AD domain controller without passing the username/password thru a Radius/ACS?

Is this correct?

Many thx,

Ken

Richard Atkin · ‎04-03-2008

Yes, you can authenticate machines and users using EAP-TLS.

Machines need to be configured for EAP-TLS and require a suitable certificate to be in the Machine Account Personal Certificate Store.

Users normally have their certificate embedded in a smartcard or usb device which has to be inserted in to the machine, and unlocked using a pin / password / fingerprint.

Both Machine and User authentication both go via RADIUS.

Hope this helps,

Richard

kfarrington · ‎04-04-2008

Hi Richard,

So, to finalise things for my understanding, A users workstation boots up, and even before windows logon (ie, username/password) the TLS does its certificate stuff.

Then if this passes, the computer can see the domain, correct?

Then the user types in his/her username/password and the windows xp logon screen, and this is sent to the AD domain controller (or does it have to be the Radius server) and again, this is using eap-tls? Or is it using kerberos? Sorry for my confusion.

Many thx indeed for your help. Hope things are good at BT (are you in Watford?)

Many thx

Ken

kfarrington · ‎04-04-2008

After reading, i now understand that there is a concept of computer and user certificates on the wireless device.

I assume that the computer cert is auth'd by eap-tls before winlogon and user cert is done at the logon stage?

Any thoughts or documentation on the exact process for eap-tls and windows interaction would be great :)

Many thx

Ken

Richard Atkin · ‎04-07-2008

For the first part, you're spot on, EAP-TLS works AD via RADIUS, the machine gets access to the network (and therefore, access to the domain). This all happens before winlogon, and therefore the machine is able to download policy updates, allow users to change expired passwords, etc...

The second part is configurable depending upon what you want to do. You can have the user login process just go straight to AD, and the machine stays logged in to the network using its own certificate. This generally isn't recommended because people *could potentially* login to the machine with a local account and still get access to your network, which is a security risk (ie, steal a laptop, then brute force the password until they're in). The second, more secure way is to pass the user login to AD via RADIUS in the same way as the machine login. This way if somebody does perform a local login, the machine will get kicked off the network, and if somebody tries to brute force the password, they'll hit the IDS / IPS rules on the WLC and get excluded for a period of time - hampering their efforts massively and generating lots of alert messages along the way.

I've attached a Microsoft document that talks about how to set all of this up from scratch - may help with your understanding.

Any questions, just ask.

Richard

kfarrington · ‎04-23-2008

I am really sorry to have to ask. Think I am 99% there.

Machine certificate, this happens before winlogon.exe correct?

User certificate (is this optional) this certficiate is exchanged (with Radius as AD domain controllers cannot support EAP-TLS) when you input username/password and then the laptop starts off another TLS exchange for the user cert?

If you dont have the user certificate setup, the user can just authenticate directly to AD? But could be a security risk?

Have I got this right mate?

Sorry for not understanding fully :)

Must be my Age

Many thx

Ken