tirsdag den 17. januar 2017

WiFi validation using machine certificates

If you are going to use machine certificates from AD to validate machines on your WiFi, it is important that the UPN of the machine is part of the list of SAN (Subject Alternate Name).

The UPNs (looks like machine$@domain.com ) are the identities of  the user or computer, and what is used to lookup the device in AD.

In our installation, the UPN was not added to machine certificates per default, thus we could get EAP-PEAP and EAP-TLS for users working, but computer accounts would not validate.

This is one of the smaller things you need to remember. We were pointed in the right direction by an article about a Mac not being able to validate, as it did not have the UPN in its certificate. Since it was not paert of AD autoenrollment it had been issued with a different template than the other certs, and an OS X does not insert a Microsoft UPN in the SAN.

Why do we chose to use machine certificates to validate our WiFi ? Easy, it still requires one of our devices to get on the net. On the wired LAN we trust the device plugged into the wall. And we have network segmentation and filtering in place, so a WiFi connected machine will not have acces to anything but needed services (Citrix and jump servers, Internet proxy, AD infrastructure, file and print servers, IP telephony and the Intranet).

Special users with special network access requirements (the minority <10%) can use a VPN that will assign network access rights based on the users group membership. Here we have user validation and true 2-factor authentication.