Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
859
Views
0
Helpful
3
Replies

802.1x using PEAP and Client Certs NOT MSCHAP support?

mike.iacovacci
Level 1
Level 1

‎02-11-2005 06:43 AM - edited ‎03-10-2019 02:00 PM

Has anyone had any luck deploying 802.1x wired auth w/ ACS or IAS and Microsoft AD using the PEAP machine certificate on the clilent option. I want to avoid using a second password for login. Client PC's are WinXP.

Labels:
0 Helpful
3 Replies 3

jafrazie
Cisco Employee
Cisco Employee

‎02-11-2005 08:17 AM

Do you want to only authenticate the machine?

0 Helpful

mike.iacovacci
Level 1
Level 1
In response to jafrazie

‎02-11-2005 10:26 AM

yes, I would like to only authenticate the machine, then let the normal Windows AD login handle the user. I would like to use the Windows Certificate infrastructure to grant,and manage client certs.

0 Helpful

jafrazie
Cisco Employee
Cisco Employee

‎02-11-2005 10:42 AM

OK, so to do machine-auth ONLY, you need to set the following registry settings:

Software\Microsoft\EAPOL\Parameters\General\

Global\SupplicantMode -- REG_DWORD

"3" Compliant with IEEE 802.1X Specification.

Software\Microsoft\EAPOL\Parameters\General\

Global\AuthMode -- REG_DWORD

"2" Machine authentication only – Whenever a user logs in, it has no effect on the connection. 802.1X authentication is performed using machine credentials only.

The pre-requistes are you must be running Active Directory, the machine must already be a member of your Active Directory Domain, and you can only use EAP-TLS or PEAP w/ EAP-MSCHAPv2.

To leverage auto-enrollment for any certs in a Windows environment, this doc should help:

<http://www.microsoft.com/downloads/details.aspx?FamilyID=05951071-6b20-4cef-9939-47c397ffd3dd&DisplayLang=en/>

0 Helpful
Customers Also Viewed These Support Documents