802.1x authentication certificate and username options

ChrisB
Here to help

802.1x authentication certificate and username options

Hello I am hoping that someone may be able to help me understand if an idea is possible with 802.1x authentication via a single SSID.

 

My aim: to 802.1x authenticate corporate machines/users via a certificate so they are not required to enter details when using a corporate issued device (laptop/smartphone etc…), but if the device is not a corporate they are use our current off site RADIUS server solution to authenticate via 802.1x username & password.

 

First of all is this possible? So if a certificate is available on the device, if will authenticate locally and a policy set to allow native LAN as per wired clients, and if there is no certificate, they will be forwarded onto our 3rd party hosted RADIUS server with user entered credentials and user the Meraki “VPN: tunnel data to a concentrator” back to our MX in our DMZ so guests can still have internet access, while being isolated from our corporate data.

 

We want to continue to use our 3rd party RADIUS server as this is shared service with other partner company’s etc…

 

Secondly how would be go about this?

9 Replies 9
Adam
Kind of a big deal

Certificates are a workable solution but are the devices domain joined?  If so, 802.1x is easier to implement by enforcing against domain user groups or computer groups.  NPS would be configured on a windows server and then there is a little GPO stuff to configure and you'd be off and running.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.

Not all devices we wish to deploy are domain members. Windows laptops are, but are mobile devices ie smartphone and tablets are not domain members so would not work.

 

Are smartphones etc... are managed via an MDM solution, are we would plan to deploy certs and new SSID details as part of policy, prior to decommissioning out legacy SSID's which they are using. We also want to reduce the login requirements for staff who have a work issued laptop/windows tablet.

PhilipDAth
Kind of a big deal
Kind of a big deal

First to use 802.1x you must use RADIUS.  If you are using certificates then RADIUS must authenticate those certificates.

 

Personally I would authenticate using PEAP/MSCHAPv2.  Machines that are members of the domain can authenticate using their already logged in credentials.  Non-domain members will have to manually enter their AD username/password.  Mobile devices will prompt for the AD username/password automatically.

znchb
Comes here often

Hi Philip,

 

I configured 802.1x wired-authentication with (windows 10 PEAP/MSCHAPv2 using AD-username/password; Radius server; Computers are not domain joined).

 

But computers keep attempting authenticate loop with Radius server:

1) information shows on win10 ethernet connection:

   "attempting to authentication" ---> "Local network"  

2) Wired-AutoConfig logs shows on win10:

   "Wired 802.1X Authentication succeeded" ----> "Wired 802.1X Authentication was restarted.  Restart Reason: Peer Initiated" -----> "Wired 802.1X Authentication was restarted. Restart Reason: Onex Auth Timeout"

 

Could you please give me some hint what possible reasons for this? Very appreciate

 

Regards,

nzou

PhilipDAth
Kind of a big deal
Kind of a big deal

Whatever certificate was used to sign the RADIUS servers certificate, will need to be loaded onto the computers as a trusted root certificate.

 

You could also try checking out the security event log on the client and the NPS server.

znchb
Comes here often

Hi Philip,

 

Thanks for the hint.

Are there any other possible reasons for this?

Still struggle the reason resulting the looping of success then reauthenticate. 

 

I used following method (similar, my server is WS2019) to manually add certificate to a Laptop, but the problem still the same. logon success, then restart again, "Reason: Onex Auth Timeout". 

 

Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Enterprise CA (isaserv...

 

What I added:

  1. Server side, use IIS request a certificate for Web Server from CA_Root.
  2. Server side, from https://domain.local to assign an Administrator Certificate for Radius Server.
  3. on laptop:  install the Administrator Certification to Laptop, in mmc console, under "Certificates\Personal"
  4. on laptop: import the CA_Root to "Certificates\Trusted Root Certification Authorities" (mmc console)

 

Regards,

nzou

jrhop
Getting noticed

Hi @znchb There are a few forum posts about multicast triggering on the switch, have you looked into this? https://community.spiceworks.com/topic/287342-wired-802-1x-continouos-authentication-restart-in-win-...

znchb
Comes here often

Appreciate, problem solved.

jrhop
Getting noticed

We currently use a mixture of EAP-PEAP/MSCHAPv2 and EAP-TLS using SCEP certificates. We use EAP-PEAP/MSCHAPv2 for Windows laptop which are domain joined and use 'Domain Computers' group to get them connected via a GPO config. We use EAP-TLS for our iOS devices which are managed by Intune, the SCEP certificates are issued by a service called SCEPMan running in Azure and the Intune policies tell devices to request the certificates from SCEPMan. The SCEPMan root certificate is then added to devices and on our NPS servers. So in NPS we have two configs one for EAP-PEAP/MSCHAPv2 and one for EAP-TLS.

Get notified when there are additional replies to this discussion.