EAP-TLS under Unified Wireless Network with ACS 4.0 and Windows 2003

Unanswered Question
Jun 17th, 2008

Hi Guys,

I have just read the above doco from Cisco and it is very good indeed.


I do have a couple or questions though.

Question 1. the section Create the Necessary Configuration for WPA2/WPA

They setup the WLAN for WPA/WPA2 which is what we want to do.


in the section CLIENT Configuration for EAP-TLS using Windows Zero Touch

they use the network authentication as OPEN and data encrytion as WEP?

Is there a reason for this?

Question 2. (think I may have asked this before) They dont actually mention when the certificates are exchanged between the ACS server and the client (is there one or two certificates, one for computer and one for user?). It says "EAP-TLS authentication requires computer and user certificates on the wireless client" so does a certificate exchange between the client workstation and ACS server happen twice?

If twice, is the first one pre-winlogon and the second one during winlogon?

Many thx guys,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (3 ratings)
Jagdeep Gambhir Tue, 06/17/2008 - 08:14

1).It is just an example , you can use any network authentication as per your need.

2). Machine certificates are used in EAP-TLS to positively identify the computer when using machine authentication. These certificates can ONLY be gained by configuring your Microsoft Enterprise CA for certificate auto-enrollment and joining the computer to the domain. The certificate will automatically be created using the computer's Active Directory

credentials and installed in the local computer store. Computers that are already members of the domain before you configure auto-enrollment will receive a certificate the next time that Windows is restarted. The

Machine Certificate will be installed in the Certificates (Local Computer) > Personal > Certificates folder of the Certificates (Local

Computer) MMC snap-in. These certificates cannot be installed on any other machine since the private key cannot be exported. A certificate that bears the name of the computer but was not created as described

above is not a true machine certificate with Machine in the Certificate Template field and will not be used for machine authentication but rather will be seen by the OS as a normal user certificate.



Do rate helpful posts

kfarrington Tue, 06/17/2008 - 09:22

Hi JG,

Many thanks.

So, can you tell me exactly the following

We want to have the following

WLAN Client ----------> AP --------> WLC --------> Radius Active Directory DC

We want to use EAP-TLS

So can I clarify a couple of points.

1. The computer and user certificates (is this just one certificate or is it two)

2. When the computer boots up pre windows logon, it compares the computer certificate with the radius server (any interaction here between Radius and AD Servers)

3. When the user puts in their username/password, does this use a certificate with the radius server? (again, any interaction here between Radius and AD Servers)

4. Is the exchange just between the client and the radius server or does the radius server check the username/password or certificate against the AD DC

5. Is there any documentation relating to the whole eap-tls/radius/AD DC flow.

I am so sorry, but I have not been able to understand this for a while now?

Many thx and I really need to understand this flow?

Cheers to all :)


Jagdeep Gambhir Tue, 06/17/2008 - 13:01

Computer cert and user cert are two different certs.

Here is the TLS process,

The EAP-TLS transaction begins when the client sends a standard 802.11 authentication request to the access point and gets back an EAP Request/Identity message specifying the EAP-TLS protocol.

1. The station replies with an EAP Response/Identity message containing its own ID.

2. The access point repackages this into a RADIUS Access Request and forwards it to a RADIUS server. From this point forward, the access point acts as a go-between and can be ignored.

3. The RADIUS server returns an EAP Request specifying EAP-TLS as the authentication mechanism.

4.The station returns an EAP Response containing a TLS Client-Hello message. This message contains the encryption algorithms supported by the client (called a cipher suite).

5. The RADIUS server replies with an EAP Request containing a TLS Server-Hello message with a session ID and those elements of the client's cipher suite the server supports. This message also contains the server's public key certificate and a request for the client to send its own public key certificate.

6.The station returns an EAP Response containing the following TLS messages: The client's public key certificate, the client's verification of the server's public key certificate (digitally signed by the client), and an agreement to use one of the server's cipher suite selections.



Do rate helpful posts

kfarrington Tue, 06/17/2008 - 23:24

JG, Once again, Many thx. That is great.

Does this process happen once or twice. Once for the computer cert and then a whole new TLS exchange for the user cert?

I found this and I hope it helps others to understand. Its just that until I get my infra up and running, I can packet capture the complete windows experience :)

I am assuming that the eap-tls does happen twice, and again, still not 100% sure if the radius server has interaction with AD?

The way I am looking at it now is as follows:-

1. eap-tls "computer" certificate exchange pre-windows logon. Computer has access to network. This exchange is between computer and Radius server only.

2. User authenticates to AD with his username/password using kerberos. This is interaction between computer and AD DC only (no Radius interaction here)

3. Once user has authenticated to AD domain, then a new eap-tls "user" certificate exchange session occurs between computer and Radius server only?

Pls see below.

Really, I have spent ages looking on the web for a complete flow.


Computer Authentication and User Authentication

To successfully authenticate with a wireless AP, you must have a computer certificate, a user certificate, or both installed. Computers running Windows XP can use EAP-TLS to authenticate the computer or the user logged on to the computer.

To authenticate the computer, the computer running Windows XP submits a computer certificate stored in the local computer certificate store during EAP-TLS negotiations. The local computer certificate store is always available, regardless of whether a user has logged on to the computer or who is logged on to the computer. More importantly, the local computer certificate store is available during the computer's startup process.

To authenticate the user logged on to the computer, the computer running Windows XP submits an installed user certificate stored in the user's certificate store during EAP-TLS negotiations. The user's certificate store is only available after the user has successfully logged on to the computer using the proper credentials. Each individual user that logs on to the computer has a separate user certificate store. The user certificate is not available during the boot process.

Without an installed computer certificate, a Windows XP wireless client computer that starts up within range of a wireless AP associates with it but authentication fails. A user can log on to a computer that does not have wireless network connectivity using cached credentials. Once successfully logged on, the user's certificate store becomes available and the subsequent authentication with the wireless AP succeeds using the installed user certificate.

Without an installed user certificate, all wireless access is based on the computer certificate. However, to provide the highest level of security, it is recommended to deploy both computer certificates and user certificates.

The computer and user authentication behavior for a Windows XP wireless client is the following:

If there is an installed computer certificate, computer authentication is performed.

If the computer authentication is successful, user authentication after a successful user logon is not performed for reauthentication with the same wireless AP.

If the user logon was successful and you switch to a new wireless AP, user authentication is performed.

If there is no installed computer certificate or the user logon is successful before computer authentication, user authentication is performed.

Jagdeep Gambhir Fri, 06/27/2008 - 06:01

How does all the certificate works.

Step 1) ACS sends its server certificate to client. Since client has the CA certificate from the same CA who issue server certificate so it trust the certificate send by ACS.

Step 2) After sending server certificate , server request for the client certificate.

Step 3) Based on the request from the server , the client sends its client certificate.

Step 4) The server receives the client certificate . It trust it if it has the CA certificate from the same CA in the CTL. After it trust it it checks the username in 3 ways.

username entered by the user

corresponding username in the client certificate.

Existence of that username in the ACS database.

Step5) If username exist .. gets authenticated.

(Note : The certificate is first send by the Server)



kfarrington Wed, 08/06/2008 - 11:02

OK Guys, I am really sorry to go on here, but I must confess, this has beat me!!!!!


We are going to run eap-tls with two certificates. A device cert and a user cert and need to authenticate against active directory.

Laptop ---- ap------wlc ------acs ------ad pdc

Laptop boots up and does an eap-tls exchange for the computer certs

At this point does the laptop exchange any information with AD for the computer name certificate, or does it just talk the the ACS?

now, computer cert passes

windows logon screen appears.

At this stage, no user cert exchange has taken place correct?

user logon screen is on the screen

user logs in and enters username/password

now another eap-tls exchange happens ?? correct?

and now the user cert is verified. If the user cert is incorrect, logon fails? Does this username/password or certificate get verified to the AD domain?

I am so lost its unreal?

Many thx if anyone can further help.


Also, please look at the ppt I have done for the eap-tls exchange stuff, which I am pretty cool with (I think), but not the interaction with AD or thrid party databases for user authentication.

Also, pls see an MS tech note that is quite helpful, but still lost.

Many thx and kind regards,



This Discussion



Trending Topics - Security & Network