Wireless authentication (windows)

In windows under the wireless profile >> security >> setting >> advanced you can chose

user auth
Computer auth
guest
user or computer auth

But for my security I want to get both the user and the computer to send there credentials. I want on my central authentication server to say

1. if user is OK put in to VLAN A
2. if machine is OK put in to VLAN A

if user and machine are OK put in to VLAN B

Trouble if a device is logged on and it comes in to wireless coverage it just sends the user credentials. I really need it to send both.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

NightShade1

I guess it will depend on the wireless Vendor you using...
With Aruba this is possible with the machine authentication feature.
If the user is authenticated but not the machine then you will get X role( we do not need differente vlans for different permissions)
In this role you wont get any access. If the machine AND the user is authenticated you will get Y role which give you access...
I dont know if that is what you are looking for?

You should name your wireless Vendor which i bealive is cisco for your certs? if Cisco does have something similar to Aruba Machine authentication you should be able to do it!
But it something you do on your Wireless controller not on the Windows side(or at least thats how i do it with Aruba)

NightShade1

Also you have to configure both network policy rules on the NPS, i mean one network policy role for the users and another policy rule for the machine authentication, it cannot be in the same rule! must be separated!

DevilWAH

see with wired I can do it as when the machine turns it authenticates and then when the user logs in they authenticate. Authentication server sees both and they policy checks both and gives access.

AS I understand windows, when a user logs on then user authentication is used. IF a user logs off or has not yet loged on then it re-authenticated with machine auth. It seems however windows is hard coded to use "user" or "Machine", so if the Wireless network is present for both then you can use a policy to check machine and user are authenticated, but I don't see how the wireless can "tell" the device which one to use.

DevilWAH

NightShade1 wrote: »

Also you have to configure both network policy rules on the NPS, i mean one network policy role for the users and another policy rule for the machine authentication, it cannot be in the same rule! must be separated!

On ISE you can have it the same rule, one of the options to chose when building the rule base is "was machine authenticated"

DevilWAH

Update on further reading you can do this with NPS servers as they can check the machine is authenticated with out it having to be sent via wireless. (not sure how accurate this is

)

The issue with the windows machine auth and ACS (and ISE is the same) that windows sends the machine auth trigger only when it boots. so, if the user is already logged in the machine auth can not be triggered.
Rather than rebooting the machine, I thing logging off and on will trigger the machine auth request as well.
Microsoft RADIUS (NPS or the older IAS) can detect the machine auth status while the user is up and running. This is because windows and the radius from same vendor, they fit with each other better.

Because using EAP-TLS user cert ISE is never sent any device info (apart from mac address) so has nothing to use to authenticate the machine. unless as before the user logs of and on.

NightShade1

DevilWAH wrote: »

see with wired I can do it as when the machine turns it authenticates and then when the user logs in they authenticate. Authentication server sees both and they policy checks both and gives access.

AS I understand windows, when a user logs on then user authentication is used. IF a user logs off or has not yet loged on then it re-authenticated with machine auth. It seems however windows is hard coded to use "user" or "Machine", so if the Wireless network is present for both then you can use a policy to check machine and user are authenticated, but I don't see how the wireless can "tell" the device which one to use.

Yes i bealive its hard coded as well... thats why you need to do it with the machine authentication feature on the Aruba Controller... Also the machine authentication just happen when logging on and logging off the computer as far i understand

DevilWAH wrote: »

On ISE you can have it the same rule, one of the options to chose when building the rule base is "was machine authenticated"

Well i though you had Windows RAdius(NPS) guess i was assuming that too early

DevilWAH

Ahh so same issue I am having, if the machine is not in wireless range during log in it will have issue.

DevilWAH

OK so how do you tell windows 7 what computer cert to use for a wireless connection for EAP-TLS, some of our laptops have multiply certs and I can't see any way of making it chose the right one?

NightShade1

I have deployed EAP TLS but we have use user certificates not machine certificates...
We just had to put the user certificate under personal folder on the certificate snap in on the computers...

Cheers
Carlos

DevilWAH

For user certs we just set up a GP to auto enroll uses, and I do the same for computer certs.

When you use user authentication if there is more than one cert then you get the pop up and you can chose the cert to use. But for machine based it does not give you the choice. it just chooses one by default and if that fails then it cant connect.

Sounds like Windows 8 or if you install 3rd part app you can manage it better, but not sure how to do it other wise.

Annoyingly due to bad practice people have created a new cert template for every different requirement. So you see computers and users with 4+ cert from the same CA, all with identical settings apart from the SAN. Because many don't contain the Principle name here they don't work for wireless WAP-TLS which I need as its required by the global wireless network we are signed up to.

I think I a going to strip them all out and replace with a single Computer cert and a single User cert where possible. Not just for this wireless authentication but just a housekeeping exercise.