I'm trying to set up Radius authentication with one certificate per user all automatically.
I managed to set up Radius authentication but unfortunately I didn't manage to set up certificate authentication.
In my case I think the WLC configuration is correct.
How can I make sure that the only case where the connection is made is when the certificate and the AD account is correct?
Thank you for your help.
I appreciate it,
That depends solely on your Radius server. Configure the SSID for WPA2 with Enterprise authentication.
Here for example a manual for NPS Radius:
In the tutorials I don't see the steps to perform.
I would like to allow AD authentication coupled with certificate authentication.
To allow to certify the position but also the account.
If PC has a valid AD account but not the certificate then no connection.
If PC does not have AD account but has the certificate to install then no login
If PC has the AD account + certificate then the connection is made.
The clean way to do it is to use Cisco ISE as RADIUS Server and use AnyConnect NAM from the client, this is called EAP Chaining
Note1: AnyConnect NAM is not supported on MAC OS
Note2: implementation this kind of Authentication does not supported “fast” roaming like 802.11r (FT) feature
For more info check "Understanding EAP-FAST and Chaining implementations on AnyConnect NAM and ISE" https://www.cisco.com/c/en/us/support/docs/wireless-mobility/eap-fast/200322-Understanding-EAP-FAST-and-Chaining-imp.html
The non-clean way to do is to use Cisco ISE as RADIUS Server and configure it to use Machine Access Restrictions (MAR)
Machine Access Restriction Pros and Cons: https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html
The newer way to do it without MAR or using AnyConnect is by using ISE 2.7 "and after" and client that support TEAP (Tunnel Extensible Authentication Protocol) this is so far supported on Windows 10 build 2004 but i don't see Apple support it yet. for more info check EAP Chaining with TEAP https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html
So you're telling me that it is not possible to implement radius authentication plus certificate verification to allow SSID connection with an NPS server?