Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1550
Views
5
Helpful
7
Replies

EAP-TLS authentication with ACS 5.2

Go to solution
davidlow8606
Level 1
Level 1

‎06-14-2012 06:57 AM - edited ‎03-10-2019 07:12 PM

Hi all,

I have question on EAP-TLS with ACS 5.2.

If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?

Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?

If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?

And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.

And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?

Hope you guys can help on this. THanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-14-2012 07:37 AM

Hope this will answer most of your questions:

Client or user certificate

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t10

Machine certificate

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t15

In case of EAP-TLS we have to have machine and user certificate installed on the machines.

Regards,

Jatin

Do rate helpful posts-

~Jatin

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-14-2012 07:37 AM

Hope this will answer most of your questions:

Client or user certificate

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t10

Machine certificate

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a00804b976b.shtml#t15

In case of EAP-TLS we have to have machine and user certificate installed on the machines.

Regards,

Jatin

Do rate helpful posts-

~Jatin
0 Helpful

Go to solution
davidlow8606
Level 1
Level 1
In response to Jatin Katyal

‎06-14-2012 10:18 AM

Hi Jatin,

Thanks for the reply. But what about the user own device? will the user be able to get the user certificate on their own?

If using both user cert and machine cert, then user will not be challenged for any credential during the authentication process right?

Regards,
David

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to davidlow8606

‎06-14-2012 11:21 AM

If the user is not a part of the domain, they won't get a certificate hence they won't be able to connect.

In EAP-TLS, there is no user/password prompt. It's a pure certificate authenticate so yes users will not get any prompt for username and password.

Regards,

Jatin

~Jatin
0 Helpful

Go to solution
davidlow8606
Level 1
Level 1
In response to Jatin Katyal

‎06-15-2012 12:15 AM

Hi Jatin,

One last question, wondering whether have you come across doing machine authentication only?

Let's forget about the EAP-TLS, if I am using PEAP and ms-chapv2, and i would only like to do machine authentication. As long as the computer is part of domain computers, they will be able to access to the network right?

What if this computer is part of domain computer, but user logged in to local PC instead of domain, will they still get full access to the network?

Thanks.

Regards,

David

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to davidlow8606

‎06-15-2012 01:28 AM

Yes, you can configure:

machine authentication only

user authentication only

Machine and user authentication.

Machine or user authentication

So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.

PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:

host/computer.domain

If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.

Regards,

Jatin

~Jatin

Go to solution
marioderosa2008
Level 1
Level 1
In response to Jatin Katyal

‎06-22-2012 02:43 AM

Hi Jatin,

is there any chance that I can have access to this document as the website says that i may not be entitiled.

I am in the same dilema about which EAP type to use and how machine authentication works with certificates.

Mario

0 Helpful
Customers Also Viewed These Support Documents