802.1X with Endpoint Certificates

In environments with full certificate infrastructures, an organization may decide to leverage certificates on endpoints instead of passing through user credentials. While certificates are considered one of the more secure options, its important to remember that at that point we are authenticating the device, not the user.

 

When using wireless 802.1X with certificates, you’ll usually select EAP-TLS or a similar vendor-specific EAP type.

Best used for: High security environments with all managed endpoints, a PKI certificate structure and key management.

Pros: Extremely secure authentication method, provided the certificate structure is trusted. Fairly easy to implement if a PKI solution is already in place.

Cons: This method authenticates devices with installed certificates, not users. Organizations with high security requirements and extensive audit and accounting needs will want to layer authentication methods (two factor or more) to validate the machine and user. This is a major undertaking if a certificate system is not already in place.