EAP-TLS User Certificate Question

Unanswered Question
Oct 30th, 2008
User Badges:

I've setup a test ACS server and have everything functioning correctly including the WLAN. However, is there anyway for EAP-TLS to use ONLY the machine certificate and not the user certificate? We are not currently setup with per-user certificates. I'm guessing not on this... My primary question then is with User Certificates, how do you handle the following scenerio:

I have many CoW's (computer on wheels) through out the hospital that nurses use for inputting patient information. They all have a simple generic username/password (BADDD!!!!) so with this user it won't be hard to have default_user certificate install on the machines. But what if Doctor X decideds to walk up to one of these CoW's and wants to logout and log back in with his user/password on a machine he's never used before. How do we handle making sure he's able to connect if doesn't already have a cert on this computer? I'm quite mistified by this.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)

If you are using the MS Supplicant, you need the following registry settings:

"HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMode", 2, "REG_DWORD"

"HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode", 3, "REG_DWORD"

This forces it to only use hardware certificates and sets the authentication to do the correct RFC polling.

As for the other issue, MS CA user certs do not "roam". Yet. There is discussion of roaming credentials being in Windows 7, but not entirely what that means. Roaming certificates can be easier with a product like Venafi. There "Encryption Management" tools are certificate management suites. The do have roaming management, or at least did when we talked to them.

Oh, and if you use two CAs (hardware and user), the separation keeps it straight too.

raun.williams Tue, 11/04/2008 - 11:52
User Badges:

Thank you! I've looked at the authmode/supplicantmode in the past but had not tried it in trying to get user authentication working as well. I appreciate your answer on the roaming profiles, clears quite a bit up. I do have a question though. I've noticed with my laptop with the reg hack and machine authentication only, i seem to authenticate alot? Looking at my ACS server logs it can span between a few minutes to 30 minutes. Doesn't seemed to tied to the EAP timeout period either. Any ideas on this? I ask because I noticed at one point I lost my IP and then it reauthenticated.

raun.williams Tue, 11/04/2008 - 12:03
User Badges:

Yeah, I ment to put in my message that I was stationary. So not sure what it is. Trying PEAP-TLS with machine authentication, see what that does.


This Discussion