802.1x using PEAP and Client Certs NOT MSCHAP support?

mike.iacovacci · ‎02-11-2005

Has anyone had any luck deploying 802.1x wired auth w/ ACS or IAS and Microsoft AD using the PEAP machine certificate on the clilent option. I want to avoid using a second password for login. Client PC's are WinXP.

jafrazie · ‎02-11-2005

Do you want to only authenticate the machine?

mike.iacovacci · ‎02-11-2005

yes, I would like to only authenticate the machine, then let the normal Windows AD login handle the user. I would like to use the Windows Certificate infrastructure to grant,and manage client certs.

jafrazie · ‎02-11-2005

OK, so to do machine-auth ONLY, you need to set the following registry settings:

Software\Microsoft\EAPOL\Parameters\General\

Global\SupplicantMode -- REG_DWORD

"3" Compliant with IEEE 802.1X Specification.

Software\Microsoft\EAPOL\Parameters\General\

Global\AuthMode -- REG_DWORD

"2" Machine authentication only – Whenever a user logs in, it has no effect on the connection. 802.1X authentication is performed using machine credentials only.

The pre-requistes are you must be running Active Directory, the machine must already be a member of your Active Directory Domain, and you can only use EAP-TLS or PEAP w/ EAP-MSCHAPv2.

To leverage auto-enrollment for any certs in a Windows environment, this doc should help:

<http://www.microsoft.com/downloads/details.aspx?FamilyID=05951071-6b20-4cef-9939-47c397ffd3dd&DisplayLang=en/>