Hi All,
I’ve just setup EAP-TLS using a 4000 series Cisco WAC, Windows NPS server and a certificate authority.
I’ve created a GPO to deploy the SSID and the computer certificate. It all works well and users can only connect if they have a certificate issued by the CA.
Everything I’ve read says that EAP-TLS is the most secure method and best way to do this and that PEAP is less secure.
However as my boss pointed out only the machine is authenticated. Anyone who logs in on the domain has access to this network. Also what if someone just hacks the local administrator using something like the pogo Linux boot disk? They will full access to the network. Surely this is a massive hole in the security and flaw with this method?!
I can’t seem to find any documentation supporting an NPS/EAP-TLS policy that allows computer and user authentication. It all seems to be aimed at the computer being secured by a CA issued very.
No comments:
Post a Comment