V

7 Messages

 • 

130 Points

Fri, May 7, 2021 4:27 PM

CloudPath SaaS EAP-TLS computer authentication

Hello,

I have implemented an Unleashed solution with ICXs, R320s, and CloudPath SaaS.

We are a cloud native org, and using AAD as IDP for our applications.

We are using AAD with CloudPath utilizing SAML for integration and user authentication for onboarding to WiFi.

The process is simple, the user accesses the Cloudpath onbaording URL, gets redirected to AAD, authenticates, and downloads the app for the Certificate and WiFi configuration.

All our users are using Windows 10 devices.

I have noticed that when Windows boots up, it is not connecting to WiFi, after the user logs in, the WiFi connects.

I have investigated this, and found the the authentication is a user authentication, and this explains the behavior.

I would like to change the EAP-TLS to computer authentication, so that WiFi could connect before the user logs in.

Could you advise please ?

Thanks,

Vadim.

Employee

 • 

18 Messages

 • 

272 Points

8 m ago

Hello Vadim,

You can modify how the certificate is installed on the device by opening up:

  1. Configurations
  2. Device Configurations
  3. Select the Device Configuration that you want to edit by clicking the disclosure triangle to the left of it
  4. Click on the OS Settings Tab
  5. The first entry is for "Windows Settings"
  6. Click the Pencil beside "Configuration from the Network(s) and Trust tabsConfiguration from the Network(s) and Trust tabs" in the Windows Settings table
  7. In the Advanced menu, you can modify WLAN and Certificates for User/Machine.

Regards,

Christopher

Employee

 • 

6 Messages

 • 

122 Points

8 m ago

Vadim,

You can change this in your device configuration. In Cloudpath admin UI, go to Configuration-->OS settings-->Windows-->Click Pencil by Configuration from the Network(s)-->Change WLAN Profile Type and Certificate Store to "Machine" and "Machine"-->Change Authentication Mode to "Machine Only"

If Authentication Mode isn't set to "Machine Only" then either it won't work pre-login or post-login with no user cert.


If you change to the settings I highlighted above, then it should work both pre and post login using the machine certificate.


Thanks,

Pierce

7 Messages

 • 

130 Points

2 m ago

Hi Pierce and Christopher,

Thank you for the reply and help!

If I'm changing to an already deployed configuration, will it affect the user that were already deployed with the User authentication ? Or it wont affect the already deployed, and only affect future deployed only with "Machine Only" ?

Thanks again,

Vadim.

7 Messages

 • 

130 Points

1 m ago

Hey,

Any advise ?

Thanks,

Vadim.

Employee

 • 

18 Messages

 • 

272 Points

Hello Vadim,

It should not affect any existing certificates by making that change, since this is how the certificate is stored on that local machine, so it will only affect new deployments.

Regards,

Christopher

7 Messages

 • 

130 Points

Thanks! I will try this.

7 Messages

 • 

130 Points

1 m ago

Hi,

Changed to Machine but still the certificate installed under the user store.

If I export the certs from the user store, and import the computer store it does auth pre-login.

Any advise ?

Thanks,

Vadim.

Employee

 • 

6 Messages

 • 

122 Points

@vadim_matusovsky  if you change all 3 settings to "Machine/Machine/Machine Only", and publish a snapshot. The cert should then be installed in the Machine store, and if we connect to the WLAN using "Machine Only" as the auth type, this will work both pre and post login. We shouldn't need to do any export if we make the necessary config changes, publish a snapshot, then re-enroll the device. See attached screenshots.

7 Messages

 • 

130 Points

8 d ago

@christopher_mohammed Hey, any advise on the above ?

Thanks,

V.

Employee

 • 

6 Messages

 • 

122 Points

@vadim_matusovsky Let us know if you still have any questions.


Thanks,

Pierce

Important Announcement