1

I'm reading about 802.1X and WPA-2 Enterprise and how to set up it. I've read briefly about the different EAPs and understand that EAP-TLS is the better method of authentication due to the use of client and server certificates.

However I'm incredibly confused about how a new device is meant to acquire a client certificate without being on the network it needs to get the certificate from?

I've set up a RADIUS server on Windows server, however I understand that non-domain joined devices cannot use it? But of course you can't join a new domain to the network if you can't actually connect to the network!

Really confused, though I could of course be misunderstanding something.

Synthetic Ascension
  • 13
  • 2

1 Answers1

4

You understand correctly: if your only way to connect to the network requires a certificate, you can't connect if you don't have one. Your devices will be able to connect to your wireless network only after a proper client certificate is installed.

The exact solution varies depending on the device and OS:

  • If you also have a wired network, you can connect computers to it and use it to obtain a certificate; if you are using Windows, this can be automated by joining them to your domain and have them auto-enroll for a client certificate using Group Policies.
  • You can set up a different wireless network with another authentication method (not involving client certificates), to be used only for certificate enrollment and/or domain join.
  • On computers, you can also install a certificate without any network (f.e. by copying it using a USB stick).
  • For phones/tablets, you can use one of the many available Mobile Device Management (MDM) solutions to auto-provision certificates; if you don't have any, see the second point.
Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Thanks for the info. I get the impression that EAP-TLS isn't very scalable, or at least can't be automated above a certain level? The second point seems like the most practical in this situation, but I feel as though it still requires some form of manual identity verification. Otherwise it just shifts the problem: "If you want network access, join this network then get yourself a cert and join the other one"? – Synthetic Ascension Jun 19 '20 at 17:14
  • The second wireless network can simply require a password and be limited in what you can do (f.e. only access a domain controller and/or the certification authority); firewalls exist exactly for this purpose. Or you can use a wired network (for computers), so that you can be sure about where is physically located who is accessing it. – Massimo Jun 20 '20 at 15:41