Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
5
Helpful
4
Replies

EAP-TLS User Certificate Question

raun.williams
Level 3
Level 3

‎10-30-2008 12:47 PM - edited ‎03-10-2019 04:09 PM

I've setup a test ACS server and have everything functioning correctly including the WLAN. However, is there anyway for EAP-TLS to use ONLY the machine certificate and not the user certificate? We are not currently setup with per-user certificates. I'm guessing not on this... My primary question then is with User Certificates, how do you handle the following scenerio:

I have many CoW's (computer on wheels) through out the hospital that nurses use for inputting patient information. They all have a simple generic username/password (BADDD!!!!) so with this user it won't be hard to have default_user certificate install on the machines. But what if Doctor X decideds to walk up to one of these CoW's and wants to logout and log back in with his user/password on a machine he's never used before. How do we handle making sure he's able to connect if doesn't already have a cert on this computer? I'm quite mistified by this.

Thanks

-Raun

Labels:
0 Helpful
4 Replies 4

george.ellis
Level 1
Level 1

‎11-04-2008 09:40 AM

If you are using the MS Supplicant, you need the following registry settings:

"HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMode", 2, "REG_DWORD"

"HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode", 3, "REG_DWORD"

This forces it to only use hardware certificates and sets the authentication to do the correct RFC polling.

As for the other issue, MS CA user certs do not "roam". Yet. There is discussion of roaming credentials being in Windows 7, but not entirely what that means. Roaming certificates can be easier with a product like Venafi. There "Encryption Management" tools are certificate management suites. The do have roaming management, or at least did when we talked to them.

Oh, and if you use two CAs (hardware and user), the separation keeps it straight too.

raun.williams
Level 3
Level 3
In response to george.ellis

‎11-04-2008 11:52 AM

Thank you! I've looked at the authmode/supplicantmode in the past but had not tried it in trying to get user authentication working as well. I appreciate your answer on the roaming profiles, clears quite a bit up. I do have a question though. I've noticed with my laptop with the reg hack and machine authentication only, i seem to authenticate alot? Looking at my ACS server logs it can span between a few minutes to 30 minutes. Doesn't seemed to tied to the EAP timeout period either. Any ideas on this? I ask because I noticed at one point I lost my IP and then it reauthenticated.

0 Helpful

george.ellis
Level 1
Level 1
In response to raun.williams

‎11-04-2008 12:01 PM

I would guess that you are crossing from access point to access point. We do wired, so do not see this ;)

0 Helpful

raun.williams
Level 3
Level 3
In response to george.ellis

‎11-04-2008 12:03 PM

Yeah, I ment to put in my message that I was stationary. So not sure what it is. Trying PEAP-TLS with machine authentication, see what that does.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents