Re: AD connection and certificate

Thomas SICAUD · ‎01-25-2021

Hello,

I'm trying to set up Radius authentication with one certificate per user all automatically.

I managed to set up Radius authentication but unfortunately I didn't manage to set up certificate authentication.

In my case I think the WLC configuration is correct.
How can I make sure that the only case where the connection is made is when the certificate and the AD account is correct?

Thank you for your help.
I appreciate it,

patoberli · ‎01-25-2021

That depends solely on your Radius server. Configure the SSID for WPA2 with Enterprise authentication.

Here for example a manual for NPS Radius:

https://www.securew2.com/solutions/radius-aaa-solutions/integrating-eap-tls-authentication-with-microsoft-nps/

https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_WPA2-Enterprise_With_EAP-TLS_Using_Microsoft_NPS

Or Freeradius:

https://hackernoon.com/how-to-secure-your-wifi-network-with-freeradius-94e0812a83bf

Thomas SICAUD · ‎01-25-2021

In the tutorials I don't see the steps to perform.
I would like to allow AD authentication coupled with certificate authentication.

To allow to certify the position but also the account.

If PC has a valid AD account but not the certificate then no connection.

If PC does not have AD account but has the certificate to install then no login

If PC has the AD account + certificate then the connection is made.

patoberli · ‎01-25-2021

I only know the variants with radius server, but you haven't written which radius software you are using. What you want to do is EAP-TLS or EAP-TTLS. In any case, the radius is normally responsible to authenticate the user and either tell the WLC that the user has access or hasn't access.

Thomas SICAUD · ‎01-27-2021

Hello,

For my part I use, Windows NPC for the radius server.

patoberli · ‎01-27-2021

I just now realized that you want to do AD auth (username + password?) and additionally certificate?

Those are two separate authentications and for this, you need to use either, the brand new TEAP standard (only supported on Windows 10 build 2004 and newer) or EAP Chaining (requires a special client software on the client, like AnyConnect NAM plus ISE as Radius). Not sure if this is possible in another way.

Grendizer · ‎01-25-2021

The clean way to do it is to use Cisco ISE as RADIUS Server and use AnyConnect NAM from the client, this is called EAP Chaining

Note1: AnyConnect NAM is not supported on MAC OS

Note2: implementation this kind of Authentication does not supported “fast” roaming like 802.11r (FT) feature

For more info check "Understanding EAP-FAST and Chaining implementations on AnyConnect NAM and ISE" https://www.cisco.com/c/en/us/support/docs/wireless-mobility/eap-fast/200322-Understanding-EAP-FAST-and-Chaining-imp.html

The non-clean way to do is to use Cisco ISE as RADIUS Server and configure it to use Machine Access Restrictions (MAR)

Machine Access Restriction Pros and Cons: https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116516-problemsolution-technology-00.html

The newer way to do it without MAR or using AnyConnect is by using ISE 2.7 "and after" and client that support TEAP (Tunnel Extensible Authentication Protocol) this is so far supported on Windows 10 build 2004 but i don't see Apple support it yet. for more info check EAP Chaining with TEAP https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216510-eap-chaining-with-teap.html

Thomas SICAUD · ‎02-18-2021

Hello,

So you're telling me that it is not possible to implement radius authentication plus certificate verification to allow SSID connection with an NPS server?