EAP-TLS machine and user cert or both

Unanswered Question
Sep 24th, 2010
User Badges:

If I use machine and user certificates does that mean the machine get's an IP address, authenticates, the user then logs on which causes another DHCP renew and user authentication?  Is it better to use machine and user or just machine?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Kayle Miller Fri, 09/24/2010 - 07:38
User Badges:
  • Silver, 250 points or more

It depends on your needs and applications, the advantage of also using machine authentication is that the machine connects, authenticates and is on the wireless network irrelevant of whether a user has logged in, which means you can remote access or monitor the machine at that point. I know alot of facilities that do it that way because they manage the machines with things like SMS, etc..   Without machine authentication the computer won't attach to the wireless until a user physically logs into the machine at which point it pass authentication.

personally I like the machine authentication that way you can push updates and other things to the machines without having to either send a person to the machine to login or waiting for a user to login so that you can access the machine, it just needs to be on.

in short machine authentication replicates being hardwired to the network.

Hope this helps...  please rate useful posts.



firestartest Fri, 09/24/2010 - 07:50
User Badges:

Thanks.  It would seem the customer wants machine and user.

Does this mean that during each phase of authentication the wireless client obtains a new IP address?

Kayle Miller Fri, 09/24/2010 - 08:14
User Badges:
  • Silver, 250 points or more

I maybe incorrect here but the only time it would re-ip is if the client is authenticating against ACS and it was to assign a different vlan to the user than the machine originally authenticated to, otherwise I believe it uses the ip address and session that the machine had already created and just passes the authentication thru.

If I am incorrect I am sure someone here will correct me.



firestartest Fri, 09/24/2010 - 08:16
User Badges:

That's the bit I don't quite understand.  Does the user get authenticated by ACS after the machine, or does it just get passed to AD?

Examples I have seen so far either show machine or user authentication.  Not both.

Kayle Miller Fri, 09/24/2010 - 08:45
User Badges:
  • Silver, 250 points or more

That is correct the machine when it boots it should authenticate to the network and you should see it in the passed authentication logs... Then when the user logs in you should see the user pass authentication as well, unless they aren't using 802.1x for the user.

If the machine fails the user won't/shouldn't be able to pass authentication.

firestartest Fri, 09/24/2010 - 12:36
User Badges:

I thought the user being denied if the machine hadn't logged on first was if you use the machine access restrictions on ACS.  Does the same apply if I was using Microsoft RADIUS server such as IAS?


This Discussion



Trending Topics - Security & Network