we are working on a wired and wireless 802.1x implementation and for various reasons are stuck using EAP-TLS.
What I know is that EAP-TLS requires certificates on the client and on the IC to support the mutual authentication.
What i dont know is if the following is possible:
Can we use certificates on the client that have been issued to the workstation (not the specific user) so the IC verifies this workstation is a corporate workstation, and the client verifies that the IC is in fact the IC. Then, as a result of this certificate exchange, a secure channel is established, and the user logs into the computer which sends the user credentials over this secure channel to the IC. The IC then authenticates against the corporate directory using LDAP, and assigns a new VLAN to the switchport, and the login process completes on the workstation.
I have read a lot of documentation (from a number of vendors) but nothing seems to be very clear about if this is or is not possible. Some docs seems to indicate that if you use machine based certs for the EAP-TLS auth the IC is going to authenticate the workstation and assign a VLAN to the switchport based on the MACHINE authenticating and not based on the user that is logging into the machine. Other documents explain it as I thought was the case....where the whole mutual authentication EAP-TLS thing with certificates was only a means for creating a secure channel over which the user credentials (as entered into the windows login) could be sent.
If the only way to use EAP-TLS and have the workstation assigned to a vlan based on the specific user authenticating is to have a certificate on the workstation issued to the specific user that is logging in (as opposed to being issued to the workstation) then how do you handle multi-user workstations? Or how do you allow support/administrators to login?
You can use TTLS(JUAC) protocol instead of TLS.
TTLS is a password based protocol and additionally can define various Host Checker policies.
Host Checker can check Antivirus, Firewall, process, files, and also Machine Certificate.
If you enable this policy, both password and Machine Certificate will be checked in 802.1x authentication.
I guess this option can meet your requirement.
See the section 'Specifying Customized Requirements Using Custom Rules' in the Administration Guide.
thanks for the suggestion but TTLS is not an option. We are a novell shop (yes, there's one of us left) and in windows7 we cannot use the odyssey client with the novell client as windows7 credential provider can only work with one add-on as I understand it.
At any rate, host checking is not a goal of this project, only 802.1x and user based VLAN assignment.
I think you are mixing up 802.1x authentication and windows logon (novell logon)
If your requirement is 802.1x and user based VLAN assignment, IC can do it by using TLS and PEAP.
As for TLS, IC can assign VLAN by a user client certificate.
As for PEAP, IC can assign VLAN by User name.
I think you want to also make novell logon successful.
This means you want to make a 802.1x authentication before novel logon.
For the solution of this issue, Windows7's supplicant has two feature, Machine auth and single sign on.
If you want to use TLS, you use Machine auth. Machine auth can complete 802.1x authentication before novel logon.
If novell supports Windows7's single sign on, you can use PEAP.
This solution makes both novel logon and 802.1x at the same time.