EAP-TLS Machine Authentication

  • 2
  • Question
  • Updated 5 years ago
  • Answered
We are migrating from Aruba to Aerohive and I'm looking for guidance on setting up EAP-TLS machine authentication. I have the user certificate authentication setup on my corporate SSID but I need to have a separate User Profile for firewall policy when machine authenticated.
Photo of Fraser Hess

Fraser Hess

  • 60 Posts
  • 7 Reply Likes

Posted 5 years ago

  • 2
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
hi Fraser,

Are you asking if you can assign different user profiles based on whether the user authenticates using EAP-PEAP vs EAP-TLS? Or assign different firewall policies based on the certificate used? Just need a couple more details to provide info :-)
Photo of Fraser Hess

Fraser Hess

  • 60 Posts
  • 7 Reply Likes
No, I need to authenticate and then assign a firewall policy when a Windows machine attempts to connect using it's machine certificate on boot. This is before a user logs in, so the user certificates are not yet available.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
I assume you are using NPS for RADIUS on your network.

Set up your NPS policy that authenticates the machine accounts to deliver a unique user attribute. NOTE: If you set up a single NPS policy to authenticate both users and machines (pointing to both user and machine groups within AD), you will need to create a distinct policy for machine accounts (and remove the machine group from the old policy).

You can use numerous different attributes within NPS to deliver the attribute number to Aerohive (Filter-ID, etc), but I will show you our native approach. Set the following:
Tunnel-type = GRE
Tunnel-Medium-type = IP (v4)
Tunnel-Pvt-Group-ID = (your attribute number)


When a computer logs into an Aerohive device using machine credentials thereby matching this NPS Network Policy, the attribute number will be delivered to the AP.

Create a new user profile within your Aerohive network policy that has the same attribute number. When you are selecting the user attributes available for an SSID, you assign a default user profile, but you can also set Authentication user profiles. Configure the machine user profile as an Authentication profile.



You'll find that this approach gives you a lot of flexibility to assign different firewall and QoS policies within Aerohive to machines vs users, but also to different user groups as well. If you have user groups already set up in AD, we can easily leverage them for your wireless policy.
Photo of Fraser Hess

Fraser Hess

  • 60 Posts
  • 7 Reply Likes
Sorry, Andrew. I should have said we are using FreeRADIUS,
Photo of Fraser Hess

Fraser Hess

  • 60 Posts
  • 7 Reply Likes
In regard to the groups suggestion, should mapping the Domain Computers group to a User Profile provide what I'm looking for?
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Sorry, bad assumption on my part.

Within your freeRADIUS configuration, the group that you have defined for your machine accounts would need to deliver those three attribute values:
Tunnel-Private-Group-ID=(your number)
Tunnel-Type=GRE
Tunnel-Medium-Type=IP