locked
NAP - restrict access to clients with a certificate RRS feed

  • Question

  • Hi

    As I mentioned above I need some help with this.

    In my test network are:

    • 2 Clients (Windows 7 x64)
    • 1 Switch (HP ProCurve 2510)
    • 1 Server (Windows 2012 x64 Standard)

    My server is a domain controller and has an own certificate authority and the NPS installed.

    The switch is configured to have 2 vlans. 1 is for the authenticated clients and one for the failed or unauthenticated clients.

    I tested the configuration with a simple user authentication where the user has to type his credentials into the message box which appears if you connect the client to the network.
    If the user is in the user group which is set in the network policy of the NPS. The server certificate which I imported manually into the client also works if I try to authenticate the server before connecting to it.

    I'm trying to make it happen that the client automatically tries to get an ip from the server. The server should only check the certificate on the client side (and not ask for credentials). If the certificate is correct, the clients gets his ip and if not he will be moved into the unauthorized vlan.

    I tried some stuff but I can't find any method that the server claims a certificate before giving the client the ip.

    I hope that anyone can help me.



    Friday, March 14, 2014 3:00 PM

Answers

  • Hi,

    Do you have 802.1X enabled on the switch port?

    You can use EAP-TLS or PEAP with EAP-TLS to authenticate the user with a certificate. The difference between the two is that in the first case (EAP-TLS) you choose "Smart card or other certificate" immediately, but for PEAP with EAP-TLS you choose PEAP first, then in PEAP properties you choose "Smart card or other certificate." The configuration on the server side is similar.

    The certificate must be stored in the user's certificate store, not the computer's certificate store.

    EAP-TLS:

    PEAP with EAP-TLS:

    Some switches have an auth-fail setting where you can place clients that fail authentication in a VLAN. Some only have a guest VLAN for clients that do not present any credentials (are not configured for 802.1X) and all switches should have a default VLAN setting.

    You can also configure network policies to move client computers to different VLANs based on the policy that is matched, and those policies can have user group conditions so the computers will be moved to VLANs because the user belongs to a certain group.

    -Greg

    Saturday, March 15, 2014 6:37 AM
  • Hi Andy,

    No, you can't use two different authentication methods with one failing over to the second one. You can have two authentication methods for two different clients, but a single client must use one method at a time.

    You can use a single RADIUS server for multiple networks (LAN and WLAN). You just need to configure different policy conditions so that they match the access requests.

    -Greg

    • Proposed as answer by ITKAG Support Wednesday, March 26, 2014 10:27 AM
    • Marked as answer by Susie Long Thursday, March 27, 2014 8:04 AM
    Monday, March 24, 2014 7:11 PM

All replies

  • Hi,

    Do you have 802.1X enabled on the switch port?

    You can use EAP-TLS or PEAP with EAP-TLS to authenticate the user with a certificate. The difference between the two is that in the first case (EAP-TLS) you choose "Smart card or other certificate" immediately, but for PEAP with EAP-TLS you choose PEAP first, then in PEAP properties you choose "Smart card or other certificate." The configuration on the server side is similar.

    The certificate must be stored in the user's certificate store, not the computer's certificate store.

    EAP-TLS:

    PEAP with EAP-TLS:

    Some switches have an auth-fail setting where you can place clients that fail authentication in a VLAN. Some only have a guest VLAN for clients that do not present any credentials (are not configured for 802.1X) and all switches should have a default VLAN setting.

    You can also configure network policies to move client computers to different VLANs based on the policy that is matched, and those policies can have user group conditions so the computers will be moved to VLANs because the user belongs to a certain group.

    -Greg

    Saturday, March 15, 2014 6:37 AM
  • Hi Greg

    Thanks for the quick answer.

    • The switch ports are configured (vlan 1 for authenticated clients and vlan 2 for unauthenticated or incompatible clients) and it works with user authentication.
    • I use PEAP with EAP-TLS
    • The configuration is on both, the server and client similar.
    • On client side I got 2 certificates because they are deployed with the image.
      The first one is stored in "local computer > trusted root certificate authority" which marks the server as trusted and the second one is stored in the users certificate store.

    It seems that I made a mistake somewhere.

    • Do I have to grant more than "client- and server authentication" rights with the certificate stored in the user's certificate store?
    • Is it possible to configure the server to ask first for a certificate but if the client can't respond with it he then asks for user credentials?

    Andy


    Wednesday, March 19, 2014 8:30 AM
  • Hi

    The description of my problem is below.
    I still got two questions and I hope that you can help me with it:

    1) Is it possible to configure the radius server, that he searches first of all for a certificate, if that certificate isn't available he then asks for user credentials and how could I achieve it (automatically, that I don't have to reconfigure the client)?

    2) Can I use one radius server to manage the LAN and at the same time the WLAN?


    Thanks to you I could solve the problem.
    As you mentioned above there are 2 types to authenticate with a certificate.
    After I checked the configuration I started to be dubious about the certificate which was on my clients.

    On server side everything was configured right but I had made a mistake on client side.
    The certificates I placed in the certificate store were imported into the right container but what I forgot about, was that those certificates have to be issued by the server.
    Before I (manually) imported them into the client certificate container I exported them from the server, where the key got lost.

    Now I had 2 options:

    • Allow to export the key along with the certificate
    • Configure an automatic rollout to the clients.

    In my opinion the second way is more safe because no one could get into the network without permission, even if he would've imported the certificate from another client.

    If a client has to connect to the network, firstly he has to log-in with his credentials. After that the server will issue a confirmed certificate to the client. From there on he can connect without using his credentials.
    ---------------
    Sorry, my English is not really good.

    Andy



    Friday, March 21, 2014 1:30 PM
  • Hi Andy,

    No, you can't use two different authentication methods with one failing over to the second one. You can have two authentication methods for two different clients, but a single client must use one method at a time.

    You can use a single RADIUS server for multiple networks (LAN and WLAN). You just need to configure different policy conditions so that they match the access requests.

    -Greg

    • Proposed as answer by ITKAG Support Wednesday, March 26, 2014 10:27 AM
    • Marked as answer by Susie Long Thursday, March 27, 2014 8:04 AM
    Monday, March 24, 2014 7:11 PM