Solved: Machine Certificate will not be recognized

MICHAEL SCHROEDER · ‎12-10-2010

Hi All, i have a Setup as Follows

- 5508/1142

- heterogenous Client with WZC, XP, SP3, SSO

- ACS 5.2, MS AD

Target is Songle Sign On wih Machine Cerificates against AD. For testing purpose we tested with EAP-PEAP/MS Chapv2 and Machine Auth, works fine. Now we installed a Machine cert in the Machine cert Store (no User Cert) and reconfigured the WZC for using certs and Machin Auth. What we see is an Error Message in the System Tray that there is no certificate available. We checked it again, the MMC shows us a Machine cert in the Store.

Where am i wrong, any help welcome.

BR, Michael

Tiago Antunes · ‎12-10-2010

Hi Michael,

This is how it works when you select the certificate method under the WZC:

Computer authentication works only before logon
By default, after logon, only user authentication works. This means that each user on the system needs a certificate (!) including administrator
- This can be overridden by AuthMode=2, but this is system-wide, implying that for a different wireless network user authentication won't work either. So AuthMode is not an option (except the computer is only used in one 802.1X network)
This implies too that as soon as there is a computer certificate and no user certificate the network just does not work!
This way it is not possible to use e.g. EAP-TLS with certificates for computers and PEAP-MSCHAPv2 with username/password for users

So if you wish to use certificate based authentication for the machine, you need to use also for user authentication (using WZC).

If you have both user and machine certificate, then after installing the certs, reboot the machine and verify if it works.

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

View solution in original post

Tiago Antunes · ‎12-10-2010

Hi Michael,

This is how it works when you select the certificate method under the WZC:

Computer authentication works only before logon
By default, after logon, only user authentication works. This means that each user on the system needs a certificate (!) including administrator
- This can be overridden by AuthMode=2, but this is system-wide, implying that for a different wireless network user authentication won't work either. So AuthMode is not an option (except the computer is only used in one 802.1X network)
This implies too that as soon as there is a computer certificate and no user certificate the network just does not work!
This way it is not possible to use e.g. EAP-TLS with certificates for computers and PEAP-MSCHAPv2 with username/password for users

So if you wish to use certificate based authentication for the machine, you need to use also for user authentication (using WZC).

If you have both user and machine certificate, then after installing the certs, reboot the machine and verify if it works.

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

George Stefanick · ‎12-11-2010

Great job on the explation T .. 5 stars

I put a few missing links together for me ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

MICHAEL SCHROEDER · ‎12-12-2010

Hi Tiago,

this is exactly what i wanted to know, thanks a lot. I will discuss the Autoenrollment of User Certificates with my Customer.

Thanks again and 5 Stars on that!

Regards, Michael

MICHAEL SCHROEDER · ‎01-24-2011

Hey Guys,

one additional Question; what exactly is checked if i dont use Certificates (Customer Decision) but only the Computer against AD, simply the Hostname or his SID? Can i influence that?

Thx and Regards, Michael