This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Is Machine authentication AND user authentication possible together in 802.1X EAP-TLS?

Question
0

Sign in to vote

I am trying to setup a 802.1x authentication environment where only authenticated users can access the network using only authenticated devices.

- I have tested both user authentication (using user certificate) and machine authentication (using machine certificates) works individually

I see the MS documents talking about authmode as "machineORuser","machineonly","useronly" and "guest" which kind of explains my earlier test results. I would still like to get a confirmation on whether Machine and User authentication can ever work together ( i mean in AND condition instead of OR)?

Here are the links i referred:

http://support.microsoft.com/kb/929847

http://msdn.microsoft.com/en-us/library/ms706279.aspx

I hope i am not the only one trying to implement both authentication together. :-)

Thanks in advance!

Cheers,

Kinshuk

Saturday, December 24, 2011 9:29 PM

Answers

0

Sign in to vote
Hi Kinshuk,

You are not the only one that is interested in this, but it isn't possible using standard 802.1X authentication methods. It is called bonded authentication. To achieve the computer/device match some vendors use a MAC address table, which is not technically part of the 802.1X process.

In documentation, when authentication settings are referred to as "computer and user," this means "computer THEN user." The computer is authenticated when nobody is logged on, then when a user is logged on the user authentication occurs. The second authentication (user) is not tied to the first one (computer), so it is not bonded. The second authentication can occur regardless of the results of the first authetication.

If you configure computer authentication only and lock down access to these devices to only domain users, this accomplishes about the same thing.

I hope this helps,

-Greg
- Edited by Greg LindsayMicrosoft employee Monday, December 26, 2011 1:13 AM
- Proposed as answer by Tiger LiMicrosoft employee Monday, December 26, 2011 7:18 AM
- Marked as answer by Tiger LiMicrosoft employee Friday, December 30, 2011 8:59 AM
Monday, December 26, 2011 1:12 AM