https://community.cisco.com/t5/wireless/machine-certificate-will-not-be-recognized/m-p/1540393#M219152 <HTML><HEAD></HEAD><BODY><P>Hi Michael,</P><P></P><P>This is how it works when you select the certificate method under the WZC:</P><UL><LI>Computer authentication works <STRONG>only </STRONG>before logon </LI><LI>By default, after logon, only <STRONG>user</STRONG> authentication works. This means that each user on the system needs a certificate (!) including administrator <UL><LI>This can be overridden by AuthMode=2, but this is system-wide,&nbsp; implying that for a different wireless network user authentication won't&nbsp; work either. So AuthMode is not an option (except the computer is <STRONG>only</STRONG> used in one 802.1X network) </LI></UL></LI><LI>This implies too that as soon as there is a computer certificate and no user certificate the network just does not work! </LI><LI>This way it is not possible to use e.g. EAP-TLS with&nbsp; certificates for computers and PEAP-MSCHAPv2 with username/password for&nbsp; users </LI></UL><P></P><P>So if you wish to use certificate based authentication for the machine, you need to use also for user authentication (using WZC).</P><P></P><P>If you have both user and machine certificate, then after installing the certs, reboot the machine and verify if it works.</P><P></P><P>HTH,<BR />Tiago</P><P></P><DIV class="jive-rendered-content"><DIV class="jive-rendered-content"><P>--</P><P>If&nbsp; this helps you and/or answers your question please mark the question as&nbsp; "answered" and/or rate it, so other users can easily find it.</P></DIV></DIV></BODY></HTML> Fri, 10 Dec 2010 21:35:33 GMT Tiago Antunes 2010-12-10T21:35:33Z https://community.cisco.com/t5/wireless/machine-certificate-will-not-be-recognized/m-p/1540392#M219151 <P>Hi All, i have a Setup as Follows</P><P></P><P>- 5508/1142</P><P>- heterogenous Client with WZC, XP, SP3, SSO</P><P>- ACS 5.2, MS AD</P><P></P><P>Target is Songle Sign On wih Machine Cerificates against AD. For testing purpose we tested with EAP-PEAP/MS Chapv2 and Machine Auth, works fine. Now we installed a Machine cert in the Machine cert Store (no User Cert) and reconfigured the WZC for using certs and Machin Auth. What we see is an Error Message in the System Tray that there is no certificate available. We checked it again, the MMC shows us a Machine cert in the Store.</P><P></P><P>Where am i wrong, any help welcome.</P><P></P><P>BR, Michael</P> Sun, 04 Jul 2021 02:31:52 GMT https://community.cisco.com/t5/wireless/machine-certificate-will-not-be-recognized/m-p/1540392#M219151 MICHAEL SCHROEDER 2021-07-04T02:31:52Z https://community.cisco.com/t5/wireless/machine-certificate-will-not-be-recognized/m-p/1540393#M219152 <HTML><HEAD></HEAD><BODY><P>Hi Michael,</P><P></P><P>This is how it works when you select the certificate method under the WZC:</P><UL><LI>Computer authentication works <STRONG>only </STRONG>before logon </LI><LI>By default, after logon, only <STRONG>user</STRONG> authentication works. This means that each user on the system needs a certificate (!) including administrator <UL><LI>This can be overridden by AuthMode=2, but this is system-wide,&nbsp; implying that for a different wireless network user authentication won't&nbsp; work either. So AuthMode is not an option (except the computer is <STRONG>only</STRONG> used in one 802.1X network) </LI></UL></LI><LI>This implies too that as soon as there is a computer certificate and no user certificate the network just does not work! </LI><LI>This way it is not possible to use e.g. EAP-TLS with&nbsp; certificates for computers and PEAP-MSCHAPv2 with username/password for&nbsp; users </LI></UL><P></P><P>So if you wish to use certificate based authentication for the machine, you need to use also for user authentication (using WZC).</P><P></P><P>If you have both user and machine certificate, then after installing the certs, reboot the machine and verify if it works.</P><P></P><P>HTH,<BR />Tiago</P><P></P><DIV class="jive-rendered-content"><DIV class="jive-rendered-content"><P>--</P><P>If&nbsp; this helps you and/or answers your question please mark the question as&nbsp; "answered" and/or rate it, so other users can easily find it.</P></DIV></DIV></BODY></HTML> Fri, 10 Dec 2010 21:35:33 GMT https://community.cisco.com/t5/wireless/machine-certificate-will-not-be-recognized/m-p/1540393#M219152 Tiago Antunes 2010-12-10T21:35:33Z https://community.cisco.com/t5/wireless/machine-certificate-will-not-be-recognized/m-p/1540394#M219153 <HTML><HEAD></HEAD><BODY><P>Great job on the explation T .. 5 stars</P><P></P><P>I put a few missing links together for me ...</P></BODY></HTML> Sun, 12 Dec 2010 04:17:11 GMT https://community.cisco.com/t5/wireless/machine-certificate-will-not-be-recognized/m-p/1540394#M219153 George Stefanick 2010-12-12T04:17:11Z https://community.cisco.com/t5/wireless/machine-certificate-will-not-be-recognized/m-p/1540395#M219154 <HTML><HEAD></HEAD><BODY><P>Hi Tiago,</P><P></P><P>this is exactly what i wanted to know, thanks a lot. I will discuss the Autoenrollment of User Certificates with my Customer.</P><P></P><P>Thanks again and 5 Stars on that!</P><P></P><P>Regards, Michael</P></BODY></HTML> Sun, 12 Dec 2010 17:28:08 GMT https://community.cisco.com/t5/wireless/machine-certificate-will-not-be-recognized/m-p/1540395#M219154 MICHAEL SCHROEDER 2010-12-12T17:28:08Z https://community.cisco.com/t5/wireless/machine-certificate-will-not-be-recognized/m-p/1540396#M219155 <HTML><HEAD></HEAD><BODY><P>Hey Guys,</P><P></P><P>one additional Question; what exactly is checked if i dont use Certificates (Customer Decision) but only the Computer against AD, simply the Hostname or his SID? Can i influence that?</P><P></P><P>Thx and Regards, Michael</P></BODY></HTML> Mon, 24 Jan 2011 13:07:22 GMT https://community.cisco.com/t5/wireless/machine-certificate-will-not-be-recognized/m-p/1540396#M219155 MICHAEL SCHROEDER 2011-01-24T13:07:22Z