03-11-2017 03:04 PM - edited 03-08-2019 09:42 AM
Hello, regarding 802.1x switchport based authentication using client GPO generated certificates.
When this is implemented, do most companies use:
- a 'computer' certificate for authentication.
- both the above computer certificate and also a 'user' certificate ?
Thanks kindly.
03-11-2017 03:21 PM
I can't comment on "most companies", but when I have done it I use both - because it makes for the most reliable simple setup.
03-12-2017 12:15 PM
Hello Philip, thanks for that.
How does using both a client and computer certificate make it more reliable ?
How does the client certificate work when you have multiple users on that machine ?
Thanks kindly for any information.
03-12-2017 01:31 PM
Because (by default) Windows uses a machine certificate before the user logs in to apply group policies and perform user authentication.
After that it re-authenticates with 802.1x using the user details.
To change the behaviour you need to change a lot group policy settings.
03-12-2017 02:39 PM
Hello Phillip, currently we do not use any client side certificates.
It is only now that I am implementing port based 802.1x that we will be using certificate authentication.
This is just an upgrade from our previous switchport port-security method which just tested for MAC address matching the sticky entry.
Therefore, with my new 802.1x port based authentication would it be fine just to use 'computer' certificates rather than 'computer' and 'client' certificates ?
03-12-2017 03:40 PM
Are you mostly using Windows machines? If so, I would use much simpler PEAP authentication. You can then authenticate computers and users based on their logged on credentials. Much easier.
You can use just computer certificates. Like I said (for the reasons already given), it usually makes it more difficult than using both computer and user certificates.
03-12-2017 04:32 AM
Hello, regarding 802.1x switchport based authentication using client GPO generated certificates.
When this is implemented, do most companies use:
- a 'computer' certificate for authentication.
- both the above computer certificate and also a 'user' certificate ?
Thanks kindly.
Hi,
Even when we did the implementation , we added both the configuration and certificates at server and client to get proper authentication and reliable communication for handshake.
-GI
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide