I implemented a wired 802.1x authenticated network. I only use machine (computer) certificates to authenticate the workstations. Automatic Certificate Enrollemnt is installed in the Windows 2003 domain. I was wondering what will happen after one year. Right than the certificate is not valif anymore. Auth-Fail VLAN or Guest-VLAN is a Internet-Only VLAN on the firewall.
When users power on their computer the next mornig, access will be rejected. Is it posible to do a automatic certificate renewal a few days before the validity of the certificate expires ?
Your certificate template will have a "renewal period" (for example, 6 weeks). Then, 6 weeks (or whatever the renewal period is) before the certificate is supposed to expire, the workstation will automatically attempt to renew its certificate. As long as the workstation is connected to the domain and has access to the CA at some point during that period, it can update its certificate and hence will not fail authentication.
Hope that helps.