Rens, thanks for adding that. I do see that I have indeed an Arubalab User template in my CA. I setup the CA far before I recorded the video, so had to do depend on my memory what I had to change in the past. I'm not sure if the Computer template had to be replicated, and I'm pretty sure that in older versions of Windows Server, like 2003 Server, you HAD to copy the templates in order to make things word. It seems that in Server 2016, which I used for this workshop, the templates are better fit and need less modification. If I find time, I might redo the AD server installation and CA installation; that is just a lot of work ;-) I think with your suggestion most people should be able to reproduce the automatic certificate enrollment.

Hi Herman's away this week but we'll make sure he gets your suggestion. Thanks for watching!

Got it, and there will be Onboard (planned, and also OnGuard and Guest) in some of the later Workshop videos.

For the setting User or Computer authentication you will need both a user and a computer certificate with EAP-TLS. If you prefer just computer authentication, you should configure your client for Computer authentication only. You cannot mix TLS and MSCHAPv2, for example TLS for computer certificated and MSCHAPv2 for user authentication in PEAP. If you do user & computer, the authentication method has to be the same.

Hi, once again great work. do you mind covering a little more the windows settings for EAP-TLS, specifically the "validate the server's identity" and "connect to these servers" the reason i am asking is because i have always tried to make my connection fail by changing the name of the server I am connecting to but it doesn't matter, it always connects so i am not sure what is the option for

@Rene Jorissen: Thanks, good topic. Let me find a good moment to put that in video (for ADCS); may be combined with Onboarding.

ABC Networking , with onbarding will be perfect as it fill that options for you automatically when it downloads the profile

@Ricardo Villarreal: Good suggestion for a video, let me find a moment to create content around that. In summary, with the validate server identity there are 2 parameters: Connect to these servers and Trusted Root CAs. The 'Connect to these servers' ensures that the name of the RADIUS certificate (in the workshop it is radius.arubalab.loc) matches what you configured there. So if you put radius.arubalab.loc in there, your client should ONLY connect if the presented certificate matches radius.arubalab.loc. In the Trusted Root CAs, you can select that the RADIUS certificate can only be issued by the selected CAs. In our lab, we select our Lab CA. If the client sees the RADIUS cert with the proper name, but from a non-selected CA, it will still reject to authenticate. So for a secure deployment: - Tick: Validate Server Certificate - Tick: Connect to these servers, and fill in the name (CN/SAN) for your RADIUS certificate(s) - Tick: the CA that issued your RADIUS certificate. I like the topic and will schedule a video on this.

yes, that totally makes sense and that is what the theory says all over the internet :) but i have tried to test this in Windows 8.1 and regardless of the name i put for the servers it still connects which is weird to me. And thanks for taking the time to reply our comments.

Yup, that's basically it.

That is a client setting. You can configure your Windows client to do 'User / Computer authentication', what it will do then is first when connecting use the computer account and after that change to user authentication. The ClearPass built-in [Machine Authenticated] role will be applied for computers that have gone through a computer authentication. In the Enforcement stage you can use that (cached) role to put domain authenticated computers in different roles.

@@hermanrobers Thank you Herman for your reply. So we cannot avoid of not configuring anything on client side ? I mean doing all in clearpass itself and nothing on client side.

Herman's using a Windows Server Certificate Authority, he does show that at the beginning and that's assumed otherwise the video would need to be somewhat longer. I cover CA setup in the last 5 mins of this video: kzbin.info/www/bejne/f6m7e36Nptd0la8