I'm pushing out dot1x to our sites and I'm running into an issue with sharing certificates. I have a GPO that auto generates device and user certificates, and the dot1x policy I have set up on my RADIUS server requires both the device and user certs for authentication. The switch config, radius policy and certs work fine. The issue I"m running into is that a set of my users share workstations. They can be on up to 5 different machines. My options so far are to either preload all possible workstations with the potential certificates which is insecure and a bear to manage. I can also generate a new certificate for each login, but that will make a large amount of certificates for each user and makes revoking them difficult (not to mention, security). Is there any GPO, script or config I can use to get workstation to contact our CA and pull down a already generated cert?
No comments:
Post a Comment