EAP-TLS over wireless

Answered Question
Jun 11th, 2010
User Badges:

Quick question for you EAP experts out there.


I want to be able to deploy EAP-TLS I understand that you need a machine and user certificate, does this mean that i would have to place the cetificate for each user account on that paticular laptop if utilised by more than one menber of staff ?


Thanks in advance.


Chris

Correct Answer by jhedstr2 about 6 years 11 months ago

Hi Chris,


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

If many users share clients, it can be problem that all users certificate have to be on the shared hardware. I had this issue in a school, and we ended up with using EAP-TLS and only hardware certificate. You don’t get full security in this case since you only verify the hardware, but on the other hand, the user have to log in to the domain, so users will be verified as well. Just not by the wireless system.


//Johan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jhedstr2 Wed, 06/16/2010 - 05:43
User Badges:

Hi Chris,


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

If many users share clients, it can be problem that all users certificate have to be on the shared hardware. I had this issue in a school, and we ended up with using EAP-TLS and only hardware certificate. You don’t get full security in this case since you only verify the hardware, but on the other hand, the user have to log in to the domain, so users will be verified as well. Just not by the wireless system.


//Johan

Elliott Shawd Wed, 06/16/2010 - 10:16
User Badges:

I would setup a new radius login specifically for that client

and configure all accounts on the client to use

the same credentials and cert to logon to the wireless network.

Actions

This Discussion