Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1021
Views
0
Helpful
1
Replies

802.1x authentication certificate and username options

Go to solution
bryant496
Level 1
Level 1

‎03-20-2018 02:44 AM

Hello I am hoping that someone may be able to help me understand if an idea is possible with 802.1x authentication via a single SSID.

My aim: to 802.1x authenticate corporate machines/users via a certificate so they are not required to enter details when using a corporate issued device (laptop/smartphone etc…), but if the device is not a corporate they are use our current off site RADIUS server solution to authenticate via 802.1x username & password.

First of all is this possible? So if a certificate is available on the device, if will authenticate locally and a policy set to allow native LAN as per wired clients, and if there is no certificate, they will be forwarded onto our 3rd party hosted RADIUS server with user entered credentials and user the Meraki “VPN: tunnel data to a concentrator” back to our MX in our DMZ so guests can still have internet access, while being isolated from our corporate data.

We want to continue to use our 3rd party RADIUS server as this is shared service with other partner company’s etc…

Secondly how would be go about this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dmh
Level 5
Level 5

‎03-20-2018 05:26 AM

Yes, this is possible.

The client configuration (supplicant) determines the authentication type attempted (and accepted). The corporate machines will have a certificate and be configured (manually or via Group Policy) to use the certificate for authentication via EAP-TLS.

Non-corporate devices will need to auto-detect (which some clients do well like iOS) or be manually configured to use a username and password EAP type (such as PEAP).

The ISE authentication policy can check the EAP authentication type in the request and if it is EAP-TLS use certificate based authentication. If the authentication request is PEAP ISE can proxy the authentication off to the other RADIUS server.

I have implemented something just like this, however, I would still set this up to test your use cases and the client experience and ensure RADIUS interoperability to make sure it does exactly what you want.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
dmh
Level 5
Level 5

‎03-20-2018 05:26 AM

Yes, this is possible.

The client configuration (supplicant) determines the authentication type attempted (and accepted). The corporate machines will have a certificate and be configured (manually or via Group Policy) to use the certificate for authentication via EAP-TLS.

Non-corporate devices will need to auto-detect (which some clients do well like iOS) or be manually configured to use a username and password EAP type (such as PEAP).

The ISE authentication policy can check the EAP authentication type in the request and if it is EAP-TLS use certificate based authentication. If the authentication request is PEAP ISE can proxy the authentication off to the other RADIUS server.

I have implemented something just like this, however, I would still set this up to test your use cases and the client experience and ensure RADIUS interoperability to make sure it does exactly what you want.

0 Helpful
Customers Also Viewed These Support Documents