Share via

User EAP-TLS authentication for the first time

Anonymous
2019-09-06T12:59:48+00:00

Hi community,

we are trying to develop 802.1X authentication to the network (LAN and WLAN) using the native Windows supplicant. The recommendation for the internal security department is to use certificates from the authentication. Second requirement is to have a user identity when an user is on a corporate machine.

Machine and user certificates are auto-enrolled using GPO policy.

Then we've configured clients using the GPO policy to have the required settings (same on LAN and WLAN network), including certificate selection

  • 802.1X auth credential: Machine or user credential
  • EAP type: Smart Card or other certificate

Machine certificates are enrolled during the imaging process when a machine is online and joined to the AD.

The problem which we currently have is I would say chicken or the egg problem.

When a user is logging on the machine for the first time, there is no certificate for such user. From the observation, there is around 50% change that the user cert auto-enrollment is finished during logon on LAN. But on WLAN is't failing all the time.

We are looking for some option to extend the machine authentication session to provide more time for the user cert auto-enrollment when the user is visiting the machine for the first time.

Is there any simple way how to auto-configure the supplicant to use "Machine credential" mode only in the case where is no user certificate available. And then re-configure the supplicant to the "Machine or User credentials" mode when there is a user certificate?

Thanks

Pavel

Windows for home | Windows 10 | Settings

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

Anonymous
2019-09-11T12:18:35+00:00

Hi,

Thank you for writing to Microsoft Community Forums.

We appreciate your effort on this. We understand that when a user logs in for the first time, there is no certificate for such user. We suggest you to refer the articles How to: Create Temporary Certificates for Use During Development and 802.1X Authenticated Wireless Deployment Guide and check if that helps.

For more information, you may refer Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS.

However, we do have a dedicated team who handles issues related to EAP-TLS authentication, let me point you in the right direction. I would suggest you to post your query in TechNet forums, where we have support professionals to address your query.

Regards,

Nikhar Khare

Microsoft Community - Moderator

Was this answer helpful?

0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest