cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
696
Views
0
Helpful
8
Replies

EAP-TLS machine authentication

k.abillama
Level 1
Level 1

Hi, I want to know if I enable machine authentication using EAP-TLS, do I have to logoff or restart the pc which is the case for peap mschap v2 machine authentication?

Also do I still need integration with AD?

8 Replies 8

jafrazie
Cisco Employee
Cisco Employee

If you enable EAP-TLS, you do not have to logoff to start using it. Depending on the service-pack, you might need to restart the service though. As for integration with AD, this is a must.

Hello,

I set it in the lab and I had to logoff the pc to trigger the machine authentication. Is there a way to trigger the machine authentication without having to logoff the pc during the initial dot1x setup( I don't have the problem during subsequent machine authentications coz ACS is caching them, I'm having MAR enabled)

I'm having a picky customer who has around 1000 users and don't want to logoff all machines during initial setup! Is there a way? what is the best practise?

For it to "trigger" yes, you have to logoff, since by default it only executes when there's no user logged into the machine.

Else, disable user-authentication entirely. Look here:

http://www.microsoft.com/technet/network/wifi/wififaq.mspx

And look for info on the "AuthMode" registry value.

Ok thx a lot for your help, already went through this document before, it helps if we need to perform only machine authentication but still we need to logoff machines to trigger the machine authetnication.

Just one more question, if we restart the netlogon service without logging off the pc can this help?

Not sure if that can help. But if you change registry settings, etc. then you'll need to restart the WZCSVC anyway (or reboot the machine). Either way, I don't see a way around this without actually logging out. You can deploy it via GPO though, right?

Yup I can deploy it via GPO, but still a logoff will be required :)

I think the customer is over demanding in this particular case, she should accept an initial logoff, right?

At the end of the day, you're telling the machine how to authenticate. machine-auth only, machine-auth plus user-auth, user-auth only, etc. If any of the configurations involve machine-auth, and you're logged in as a user when you make the configuration change, then if the customer has issue with this, they'd have issue with how MSFT handles this type of situation in general.

Yup, u're right!

Thanks a lot for your help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: