topic Dot1x Windows 11 in Network Access Control

Dot1x Windows 11

hs08 — Fri, 13 Mar 2026 08:13:47 GMT

What dot1x method can be used for seamless login?
Currently i'm on PoC with Cisco partner to implement dot1x and when testing the user is prompted to signin and must enter credential when plugged to the wired.

We want if the user login using company device which already joined to the Azure Active Directory then when the LAN plugged to the switch then the user can directly access to the network without prompting to login.

Re: Dot1x Windows 11

Flavio Miranda — Fri, 13 Mar 2026 09:07:13 GMT

@hs08

Are you using certificate? With certificate, no login should be provided.

Re: Dot1x Windows 11

ahollifield — Fri, 13 Mar 2026 17:25:32 GMT

You should only use EAP-TLS or TEAP (with certificates) only in 2026.

Re: Dot1x Windows 11

Ahmed Bayoumi — Sun, 15 Mar 2026 09:44:15 GMT

For a seamless login experience with 802.1X on wired networks, EAP-TLS is typically the recommended method. It allows the endpoint to authenticate using a certificate instead of prompting the user to manually enter credentials.

With password-based methods such as PEAP-MSCHAPv2, the endpoint usually prompts the user to provide credentials during authentication. This is why users are asked to sign in when they plug their device into the wired network.

In contrast, EAP-TLS uses certificate-based authentication. The endpoint presents a valid certificate during the TLS handshake, allowing the authentication process to occur automatically without user interaction. If the device already has a trusted certificate installed, the authentication can happen transparently in the background.

How This Enables Seamless Login

When the company device is domain-joined (for example joined to Azure AD) and has a valid certificate installed:

The endpoint connects to the switch port configured for 802.1X.
The switch forwards the authentication request to the NAC server.
The endpoint presents its certificate using EAP-TLS.
The authentication server validates the certificate and grants network access.

Since the authentication is based on the certificate rather than user credentials, the user does not need to manually enter a username or password.

Certificate Deployment Options

For EAP-TLS to work seamlessly, certificates must be deployed to endpoints. This can be done in several ways:

• Manual certificate installation
• Automatic enrollment using SCEP
• Endpoint onboarding using a BYOD portal
• Integration with device management solutions that distribute certificates automatically

Once the certificate is installed and trusted, the authentication process becomes transparent to the user.

Summary

Using EAP-TLS with properly deployed endpoint certificates allows devices to authenticate automatically when connected to the wired network. This eliminates the need for users to manually enter credentials and provides a seamless login experience while also improving security through certificate-based authentication.

Re: Dot1x Windows 11

hs08 — Wed, 18 Mar 2026 01:19:50 GMT

Yes EAP-TLS is the answer. Now how if the user have Entra ID but the device not joined to the Azure AD? Can we use PEAP-MSCHAP so the user will be prompt for username password and not use certificate?

Re: Dot1x Windows 11

ahollifield — Wed, 18 Mar 2026 02:07:28 GMT

No. You can use EAP-TTLS with ROPC. But that’s not secure either.

Why isn’t the computer properly managed and receiving a certificate? What scenario?

Re: Dot1x Windows 11

hs08 — Wed, 18 Mar 2026 02:40:39 GMT

Beacause beside we have company devices joined to the Azure then we have Vendor where they use their laptop and we only give them the Entra ID and the device not joined to the Azure.

Re: Dot1x Windows 11

ahollifield — Wed, 18 Mar 2026 02:51:28 GMT

Why are you allowing untrusted/unknown/unmanaged endpoints to join your internal protected network? Shouldn’t the vendors be using a guest network?