cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
390
Views
0
Helpful
6
Replies
Highlighted
Beginner

802.1x port based authentication

Hello, regarding 802.1x switchport based authentication using client GPO generated certificates.

When this is implemented, do most companies use:

- a 'computer' certificate for authentication.

- both the above computer certificate and also a 'user' certificate ?

Thanks kindly.

6 REPLIES 6
Highlighted
Advisor

I can't comment on "most companies", but when I have done it I use both - because it makes for the most reliable simple setup.

Highlighted

Hello Philip, thanks for that.

How does using both a client and computer certificate make it more reliable ?

How does the client certificate work when you have multiple users on that machine ?

Thanks kindly for any information.

Highlighted

Because (by default) Windows uses a machine certificate before the user logs in to apply group policies and perform user authentication.

After that it re-authenticates with 802.1x using the user details.

To change the behaviour you need to change a lot group policy settings.

Highlighted

Hello Phillip, currently we do not use any client side certificates.

It is only now that I am implementing port based 802.1x that we will be using certificate authentication.

This is just an upgrade from our previous switchport port-security method which just tested for MAC address matching the sticky entry.

Therefore, with my new 802.1x port based authentication would it be fine just to use 'computer' certificates rather than 'computer' and 'client' certificates ?

Highlighted

Are you mostly using Windows machines?  If so, I would use much simpler PEAP authentication.  You can then authenticate computers and users based on their logged on credentials.  Much easier.

You can use just computer certificates.  Like I said (for the reasons already given), it usually makes it more difficult than using both computer and user certificates.

Highlighted

Hello, regarding 802.1x switchport based authentication using client GPO generated certificates.
When this is implemented, do most companies use:
- a 'computer' certificate for authentication.
- both the above computer certificate and also a 'user' certificate ?
Thanks kindly.

Hi,

Even when we did the implementation , we added both the configuration and certificates at server and client to get proper authentication and reliable communication for handshake.

-GI

Content for Community-Ad