Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
951
Views
1
Helpful
2
Replies

EAP-TEAP with EAP-TLS for user+machine, Windows 11 first login

jthurston
Level 1
Level 1

‎02-12-2025 04:14 PM

Hello, does anyone have any advice on how to resolve this issue? The problem is the first time a user signs into a workstation they do not yet have their certificate from our CA which does provide a user cert automatically, but not before the Windows 11 authentication supplicant runs and fails user auth. 

We currently use EAP-TEAP with MSCHAPv2 + EAP-TLS which works very well, but Microsoft is now enabling credential guard by default and as the recommended setting, which makes MSCHAPv2 a nonstarter.

I found a way to restart the Windows authentication supplicant using netsh, but this evidently causes other issues with SCCM.
Using netsh automatically at Windows login within a .bat file works very well if there is a user physically at the workstation.
When ITOPS uses SCCM to remote into a workstation however the system returns to the lock screen immediately after netsh runs.

If anyone knows a better way to do this I would be very interested. 

2 Replies 2

Arne Bier
VIP
VIP

‎02-12-2025 06:33 PM

Why is user-based network authentication important to you?  i.e. can/will/should more than one user be able to log into the workstation with their own cred, and then be treated differently on the network (e.g. different VLAN or ACL) ?

In most cases, machine authentication works just great, when there is no need to further differentiate the network access on a per-user level. Users can log into the PC and the PC remains authorized based on the machine certificate (EAP-TLS).

Have you run into scenarios where EAP chaining is required to solve a problem you're experiencing?  I don't know if the PC waking up from sleep mode is still an issue with only machine auth enabled. Or, the scenario of switching from wired to wireless and vice versa - the PC can get confused and then EAP chaining gets us out of trouble. Maybe I am just lucky but I don't hear much about these problems.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎02-12-2025 07:35 PM

The best option is likely using the 'User failed and computer succeeded' EAP Chaining result to permit access based on the initial Computer certificate authentication.

https://community.cisco.com/t5/network-access-control/eap-teap-first-time-user-login-chicken-amp-egg-scenario/td-p/4475351

0 Helpful
Customers Also Viewed These Support Documents