Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1138
Views
0
Helpful
1
Replies

Question about 802.1x EAPTLS and Active Directory Computer Object auth

EBrant
Level 1
Level 1

‎10-07-2021 11:13 PM

Hello All

Can someone kindly assist me with the following question

This relates to the question I asked here but I just need a bit more information please (as I do not have a LAB to test this out)

 

Putting 802.1x, EAP-TLS and Certificates to one side for a moment;

 

If you have an Active Directory (AD) Computer (joined to an AD domain) the computer authenticates to the Domain using its password (128 characters long random password changed automatically every 30 days by default). The password hash is stored securely in the computer's registry and also in the AD database, so they can be compared to complete the logon.

 

Now, if I introduce an 802.1x switch with the relevant AAA Server and certificates ('server authentication certificate for the AAA server and 'client authentication certificate for the supplicant/computer); I understand from my previous question (as in the link above) the AAA server and supplicant can authenticate each other using the certificates, which would then move from EAPol to open up the ports for normal traffic?

 

If that is the case then I assume the computer would go on to the next stage automatically to authenticate to the Active Directory Domain Controller using its 128 character password (as it would if there were no 802.1x in the mix)?

 

In other words, I assume there would be a two-stage process, use the certificates to complete the EAP-TLS authentication to open the ports, then perform normal computer logon.  However, I also know you can use certificates to authenticate to AD (using the UPN name in the SAN extension of the certificate). Therefore does it depend on how the AAA server is set up as to which options would be used to ultimately authenticate the supplicant to the AD Domain Controller ?

 

Any advice is most welcome

 

 

 

0 Helpful
1 Reply 1

Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-11-2021 03:14 PM

Assuming that you are referring to Windows only clients, there are 2 levels of authentication. Machine and User. So when the machine is just booted, its network stack will become online and send whatever the machine username and password if EAP-PEAP, in TLS it will send the machine certificate. (UN and PW for machine is created during the domain joining process, for certs you need to deploy it)

Good article to read to understand the complete process, most of the article is good, but it should be noted that Windows now supports EAP-TEAP which is both user and machine auth.

https://www.wiresandwi.fi/blog/user-and-machine-authentication

 

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card