locked
Is Machine authentication AND user authentication possible together in 802.1X EAP-TLS? RRS feed

  • Question

  • I am trying to setup a 802.1x authentication environment where only authenticated users can access the network using only authenticated devices.

    - I have tested both user authentication (using user certificate) and machine authentication (using machine certificates) works individually

    I see the MS documents talking about authmode as "machineORuser","machineonly","useronly" and "guest" which kind of explains my earlier test results. I would still like to get a confirmation on whether Machine and User authentication can ever work together ( i mean in AND condition instead of OR)?

    Here are the links i referred:

    http://support.microsoft.com/kb/929847

    http://msdn.microsoft.com/en-us/library/ms706279.aspx

    I hope i am not the only one trying to implement both authentication together.  :-)

     

    Thanks in advance!

    Cheers,

    Kinshuk

    Saturday, December 24, 2011 9:29 PM

Answers

  • Hi Kinshuk,

    You are not the only one that is interested in this, but it isn't possible using standard 802.1X authentication methods. It is called bonded authentication. To achieve the computer/device match some vendors use a MAC address table, which is not technically part of the 802.1X process.

    In documentation, when authentication settings are referred to as "computer and user," this means "computer THEN user." The computer is authenticated when nobody is logged on, then when a user is logged on the user authentication occurs. The second authentication (user) is not tied to the first one (computer), so it is not bonded. The second authentication can occur regardless of the results of the first authetication.

    If you configure computer authentication only and lock down access to these devices to only domain users, this accomplishes about the same thing.

    I hope this helps,

    -Greg


    Monday, December 26, 2011 1:12 AM