Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
954
Views
5
Helpful
6
Replies

EAP-TLS machine and user cert or both

firestartest
Level 1
Level 1

‎09-24-2010 07:29 AM - edited ‎07-03-2021 07:13 PM

If I use machine and user certificates does that mean the machine get's an IP address, authenticates, the user then logs on which causes another DHCP renew and user authentication?  Is it better to use machine and user or just machine?

Labels:
0 Helpful
6 Replies 6

Kayle Miller
Level 7
Level 7

‎09-24-2010 07:38 AM

It depends on your needs and applications, the advantage of also using machine authentication is that the machine connects, authenticates and is on the wireless network irrelevant of whether a user has logged in, which means you can remote access or monitor the machine at that point. I know alot of facilities that do it that way because they manage the machines with things like SMS, etc..   Without machine authentication the computer won't attach to the wireless until a user physically logs into the machine at which point it pass authentication.

personally I like the machine authentication that way you can push updates and other things to the machines without having to either send a person to the machine to login or waiting for a user to login so that you can access the machine, it just needs to be on.

in short machine authentication replicates being hardwired to the network.

Hope this helps...  please rate useful posts.

Thanks,

Kayle

firestartest
Level 1
Level 1
In response to Kayle Miller

‎09-24-2010 07:50 AM

Thanks.  It would seem the customer wants machine and user.

Does this mean that during each phase of authentication the wireless client obtains a new IP address?

0 Helpful

Kayle Miller
Level 7
Level 7
In response to firestartest

‎09-24-2010 08:14 AM

I maybe incorrect here but the only time it would re-ip is if the client is authenticating against ACS and it was to assign a different vlan to the user than the machine originally authenticated to, otherwise I believe it uses the ip address and session that the machine had already created and just passes the authentication thru.

If I am incorrect I am sure someone here will correct me.

Thanks,

Kayle

0 Helpful

firestartest
Level 1
Level 1
In response to Kayle Miller

‎09-24-2010 08:16 AM

That's the bit I don't quite understand.  Does the user get authenticated by ACS after the machine, or does it just get passed to AD?

Examples I have seen so far either show machine or user authentication.  Not both.

0 Helpful

Kayle Miller
Level 7
Level 7
In response to firestartest

‎09-24-2010 08:45 AM

That is correct the machine when it boots it should authenticate to the network and you should see it in the passed authentication logs... Then when the user logs in you should see the user pass authentication as well, unless they aren't using 802.1x for the user.

If the machine fails the user won't/shouldn't be able to pass authentication.

0 Helpful

firestartest
Level 1
Level 1
In response to Kayle Miller

‎09-24-2010 12:36 PM

I thought the user being denied if the machine hadn't logged on first was if you use the machine access restrictions on ACS.  Does the same apply if I was using Microsoft RADIUS server such as IAS?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card