cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4753
Views
0
Helpful
3
Replies

EAP-TLS Machine Authentication/Certificate

Hi,

I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN.  I can make each user get a user cert from my CA and if I use an admin account I can get windows to put these certs into the machine store, but when it comes to a login attempt my RADIUS failure messages look like host/axelfoley001 instead of host/MACHINE001xp, which is how the login looks on RADIUS when using EAP/PEAP.

Clients are WinXPSP3, and I'm using CiscoACS 4.1, MS Certificate Services CA.

When a user gets its own cert it can log into the WLAN fine after already logging onto the machine, but i can't seem to figure out how to pass the machine name with the cert on machine login (pre-auth).

Do I need to alter some setting in the cert to pass a different user/machine name or do i need to get a different kind of cert from the CA?

Any help will be greatfully received.

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
weterry
Enthusiast

It sounds like your supplicant isn't configured to use machine credentials. In WZC there is a checkbox for "user machine credentials if available".... Perhaps that isn't enabled?

Or perhaps you don't have a machine cert on the computer.  You mentioned a "user cert", but I think if you want machine credentials, don't you need a certificate for the machine itself? I could be wrong on this though.

View solution in original post

3 REPLIES 3
Robert.N.Barrett_2
Enthusiast

Are you trying to do machine only authentication?  If you are using Wireless Zero Config, then have you configured the client for machine only auth?

http://support.microsoft.com/kb/929847

weterry
Enthusiast

It sounds like your supplicant isn't configured to use machine credentials. In WZC there is a checkbox for "user machine credentials if available".... Perhaps that isn't enabled?

Or perhaps you don't have a machine cert on the computer.  You mentioned a "user cert", but I think if you want machine credentials, don't you need a certificate for the machine itself? I could be wrong on this though.

View solution in original post

it was an issue with the machine certificate.  I've not actually had it working yet, but I'm sure a proper machine cert from the CA is what it needs.

thanks for the responses.

Content for Community-Ad