Hi all i would like people opinions on a question. I am looking to implement certificate authenticate for my machines (in particular wifi). Wondering if there aer benfits between User or Machie authentication. The way I see it a reasonably savy user could export a machine cert from the machine it was issued too (e.g. my laptop) and then load it onto another device that is not approved (e.g. my personal netbook) wouldnt this then negate the whole point of authenticating the machine before allowing it access to the wifi? What if I used a user cert? An upsdide would be if a user left the comapny and happend to have a user cert loaded onto a non approved device it would be refjected becvuase our user termination process would have revoked that cert. What im really loking for is the best way to enforce certificate authentication while stoppin someone from using the cert on a non company device and the best way to revoke the access when necessary (i.e. is a user or machien cert better when rekoving a user when terminated). If it helps when a user is terminated their machine is reimaged so the machine cert on the machine (laptop) would be wiped but technically its still valid becuase it hasnt been revoked as well.

The certificate export issue is the same for machine certificates as well, if the users are local admins (or if they can elevate to local admin by reset of the local admin password or other methods). Besides the discussion about risks of certificate export, the main benefit of user authentication is dynamic VLAN and access management based on users security group membership in AD and policies in IAS/NPS. A side effect of restricting to user authentication is that it will effectively cut the machine from being on the network if no user is logged in. The built in 802.1x supplicant in Windows together with IAS/NPS does not perform combined machine+user authentication as other third party solutions can offer. A type of combined authentication can be configured using NAP as the NAP agent always sends information about the machine identity in the NAP exchange. If the users are local admins or can elevate to local admins; the NAP scenario can be recommended because of the effect of not being able to "easily" reuse the user certificate on other devices. Please remember that NAP is not a security boundary and the machine info is possible to spoof in the NAP exchange but it requires more client software and is not as simple as exporting a certificate. Regarding the termination process, IAS/NPS perform a certificate mapping to a valid AD account for both machine and user authentication and disabling the machine and/or user account will effectively terminate the access regardless the certificate status. It is still recommended to revoke the certificate to protect other assets not performing certificate mapping the same way IAS/NPS does. /Hasain