topic Re: AD credential during de 802.1x wireless SSID connection in Wireless

AD credential during de 802.1x wireless SSID connection

yakp — Fri, 03 May 2024 10:41:26 GMT

Dear Community.

I configured a SSID for employees to use, then selected the security type of this SSID as 802.1x. I made the necessary configurations on WLC and ISE. Currently, an employee can authenticate and connect to the wireless network through the certificate installed on the computer during Uitrol. In this process, when the employee clicks on the SSID, he does not enter any username or password, he just says trust the certificate and connects to the network.

My question is this: If someone wants to connect to this SSID with an external device that is not in AD, a screen appears asking for username and password. Here, this network may become vulnerable to attacks such as bruteforce attacks. Is there an effective way to prevent this? When an external device wants to connect to this SSID, is it possible to reject the direct connection request if it does not have a certificate?

Re: AD credential during de 802.1x wireless SSID connection

Mark Elsen — Fri, 03 May 2024 12:32:13 GMT

>... is it possible to reject the direct connection request if it does not have a certificate?
- Essentially not because connecting to an SSID is just like connecting a cable to an outlet , you could probably configure the ISE policy as such that both machine certificate and user authentication is required if the latter is tried ,

Re: AD credential during de 802.1x wireless SSID connection

Karsten Iwen — Fri, 03 May 2024 12:50:17 GMT

If your users are prompted to trust a certificate, the rest of the security mechanisms are basically useless because this is the number one attack surface for 802.1X. Always make sure that the machine is already trusting your root cert through GPOs or MDM.

For the rest of the question, @Mark Elsen gave an important hint. Use client certificates. With them, only a user or device with a certificate can connect, and the user password is not used in the authentication process. Using certificates and setting up a CA is one of the most challenging parts of the wireless security setup. Better get someone to help you with that.

Re: AD credential during de 802.1x wireless SSID connection

yakp — Wed, 15 May 2024 09:50:23 GMT

Thanks for your comment Marce. How can i both configure. I have already machine certiciate configured. For user authentication What should i choose in ISE policy?