Solved: Re: EAP-TLS certificates for Windows client

carl_townshend · ‎06-04-2020

Hi All

When doing EAP-TLS authentication using Windows clients, what certificate does the client machine require?

Is a CA root cert enough? or does each machine require its own individual cert? if so how is this assigned etc?

Many thanks

Carl

Rasika Nayanajith · ‎06-05-2020

It does not get any by default. Either you need to have internal CA server that can issue certificate for domain PCs or you have to get them issued using public CA server.

Have a look this document

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

Rafael E · ‎06-04-2020

it needs both

CA root

CA device (windows machine) certificate signed by CA root

Saludos,
Rafael - TAC

carl_townshend · ‎06-05-2020

Hi

How are the Windows machine certificates created?

Does each domain device get one by default, or do they need to be created somewhere?

cheers

Rasika Nayanajith · ‎06-05-2020

It does not get any by default. Either you need to have internal CA server that can issue certificate for domain PCs or you have to get them issued using public CA server.

Have a look this document

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html

HTH

Rasika

*** Pls rate all useful responses ***

Jurgens L · ‎06-07-2020

Also a handy guide to have, check page 58 using Group Policy to sign certificates automatically with end clients.
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-CampusDot1XDesignGuide-AUG14.pdf