EAP-TLS - user already logged in - expected behavior

iores · ‎11-17-2024

Hi,

what is the expected behaviour when user connects laptop to a wired network, and has already logged into Windows?

As I understood, EAP-TLS user authentication is performed during log-in screen.

Rob Ingram · ‎11-17-2024

@iores if the user is already logged into windows and connects to the network, authentication will start and will be authenticated (assuming authentication credentials valid).

ammahend · ‎11-17-2024

Expected behavior is that user will have to be authenticated using certificate on the device, If the port is configured for 802.1X then by default nothing is allowed except EAP exchange until the user/device is authenticated.

you can verify this why running a debug on the switch like debug radius authentication

-hope this helps-

PradeepSingh · ‎11-18-2024

In this scenario as well authentication will happen. Even user is already logged in, authentication will start. As soon as network link is up on network port switch will send EAP start message to client supplicant. Subsequently client will send credentials and authentication will happen.

Arne Bier · ‎11-18-2024

How is the Windows Supplicant configured? Computer, User or User/Computer authentication?

Computer auth: happens when machine boots, prior to login. And also when a logged-in user logs out of their account.

User auth: happens when a user logs into the Locked screen.

iores · ‎11-18-2024

Where does the supplicant get user credentials from? Are they cached somewhere in Windows?

Greg Gibbs · ‎11-18-2024

There are no credentials with EAP-TLS. When Windows is in the User state, the supplicant will present the User certificate for authentication.