Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

EAP-TLS machine and user cert or both

If I use machine and user certificates does that mean the machine get's an IP address, authenticates, the user then logs on which causes another DHCP renew and user authentication?  Is it better to use machine and user or just machine?

6 REPLIES

Re: EAP-TLS machine and user cert or both

It depends on your needs and applications, the advantage of also using machine authentication is that the machine connects, authenticates and is on the wireless network irrelevant of whether a user has logged in, which means you can remote access or monitor the machine at that point. I know alot of facilities that do it that way because they manage the machines with things like SMS, etc..   Without machine authentication the computer won't attach to the wireless until a user physically logs into the machine at which point it pass authentication.

personally I like the machine authentication that way you can push updates and other things to the machines without having to either send a person to the machine to login or waiting for a user to login so that you can access the machine, it just needs to be on.

in short machine authentication replicates being hardwired to the network.

Hope this helps...  please rate useful posts.

Thanks,

Kayle

New Member

Re: EAP-TLS machine and user cert or both

Thanks.  It would seem the customer wants machine and user.

Does this mean that during each phase of authentication the wireless client obtains a new IP address?

Re: EAP-TLS machine and user cert or both

I maybe incorrect here but the only time it would re-ip is if the client is authenticating against ACS and it was to assign a different vlan to the user than the machine originally authenticated to, otherwise I believe it uses the ip address and session that the machine had already created and just passes the authentication thru.

If I am incorrect I am sure someone here will correct me.

Thanks,

Kayle

New Member

Re: EAP-TLS machine and user cert or both

That's the bit I don't quite understand.  Does the user get authenticated by ACS after the machine, or does it just get passed to AD?

Examples I have seen so far either show machine or user authentication.  Not both.

Re: EAP-TLS machine and user cert or both

That is correct the machine when it boots it should authenticate to the network and you should see it in the passed authentication logs... Then when the user logs in you should see the user pass authentication as well, unless they aren't using 802.1x for the user.

If the machine fails the user won't/shouldn't be able to pass authentication.

New Member

Re: EAP-TLS machine and user cert or both

I thought the user being denied if the machine hadn't logged on first was if you use the machine access restrictions on ACS.  Does the same apply if I was using Microsoft RADIUS server such as IAS?

447
Views
5
Helpful
6
Replies
CreatePlease to create content