Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
0
Helpful
5
Replies

Eap-tls

eirmad
Level 1
Level 1

‎10-05-2012 02:32 AM - edited ‎07-03-2021 10:46 PM

Hi all.

Currently we are using eap-tls with machine authentication.

We would like to improve the solution, because the fear of users "stealing" the certificates and installing them on unauthorized devices.

We uses wlc 5508, ver 7.2, ACS 5.2, and connection to Windows AD. Mainly Windows 7 clients, and some Windows XPs.

Is there a way of using eap-tls with machine certificates AND prompt the user for credentials (AD account) when assosiating to the SSID?

Regards

Eirik

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame

‎10-05-2012 09:31 AM

You can by using MAR, but its not recommended since there is a timeout value and users will have to reconnect. Also it only does machine author initially then everything after that is user. Search on the forum for MAR and you will fin many topics on your subject.

If the private key is not exportable, they shouldn't be able to transfer the cert. so make sure the key in the ca template specifies non exportable private key.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

eirmad
Level 1
Level 1
In response to Scott Fella

‎10-05-2012 11:36 PM

Thank you for the tip. I will look into that.

The problem is that even if the private key is marked non-exportable, there is tools out there to export it anyway...

Eirik

Sent from Cisco Technical Support iPad App

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to eirmad

‎10-06-2012 05:07 AM

So your saying that an employee is going to try to spend time trying to find a utility that can export a private key. It would be easier just to use the guest network which I would do. So if a user wants to get the cert to put on his other laptop, what stops them from plugging into the network? All that said, what is the process to export the cert... You need access to the certificate store via mmc certificate console. So why not just block access to that through GPO? Using MAR isn't the answer because it only looks for the first login and then it's users authentication. So any user can provide their credentials on any machine that has login to the domain. If you wanted some two factor, use an RSA token or get ISE and the latest AnyConnect and do EAP Chaining.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

eirmad
Level 1
Level 1
In response to Scott Fella

‎10-06-2012 05:20 AM

We currently have people that do this to connect their iPads and so on to the corporate network. And they do not need to have access to mmc. There are tools out there...

But, that's not my main concern. If there are tools that can do it, there are troians, malware that do the same... That's my concern.

So maybe the solution is twofactor, but it would be nice if it could use both certificate AND ask (or even use already logged on AD user) for credentials.

Eirik

Sent from Cisco Technical Support iPad App

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎10-06-2012 05:34 AM

Really what you need then is ISE. This way you can profile devices and allow what devices are allowed or not allowed. Or also use an mdm solution or corporate phones and tablets. But you will probably need both MAR really doesn't help you in this situation because you can always get around that also.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card