EAP-TLS machine authentication

Unanswered Question
Dec 30th, 2008

Hi, I want to know if I enable machine authentication using EAP-TLS, do I have to logoff or restart the pc which is the case for peap mschap v2 machine authentication?

Also do I still need integration with AD?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jafrazie Mon, 01/05/2009 - 06:55

If you enable EAP-TLS, you do not have to logoff to start using it. Depending on the service-pack, you might need to restart the service though. As for integration with AD, this is a must.

k.abillama Mon, 01/05/2009 - 07:04


I set it in the lab and I had to logoff the pc to trigger the machine authentication. Is there a way to trigger the machine authentication without having to logoff the pc during the initial dot1x setup( I don't have the problem during subsequent machine authentications coz ACS is caching them, I'm having MAR enabled)

I'm having a picky customer who has around 1000 users and don't want to logoff all machines during initial setup! Is there a way? what is the best practise?

k.abillama Mon, 01/05/2009 - 07:17

Ok thx a lot for your help, already went through this document before, it helps if we need to perform only machine authentication but still we need to logoff machines to trigger the machine authetnication.

Just one more question, if we restart the netlogon service without logging off the pc can this help?

jafrazie Mon, 01/05/2009 - 07:20

Not sure if that can help. But if you change registry settings, etc. then you'll need to restart the WZCSVC anyway (or reboot the machine). Either way, I don't see a way around this without actually logging out. You can deploy it via GPO though, right?

k.abillama Mon, 01/05/2009 - 07:26

Yup I can deploy it via GPO, but still a logoff will be required :)

I think the customer is over demanding in this particular case, she should accept an initial logoff, right?

jafrazie Mon, 01/05/2009 - 07:29

At the end of the day, you're telling the machine how to authenticate. machine-auth only, machine-auth plus user-auth, user-auth only, etc. If any of the configurations involve machine-auth, and you're logged in as a user when you make the configuration change, then if the customer has issue with this, they'd have issue with how MSFT handles this type of situation in general.


This Discussion