12-30-2008 07:56 AM - edited 03-10-2019 04:15 PM
Hi, I want to know if I enable machine authentication using EAP-TLS, do I have to logoff or restart the pc which is the case for peap mschap v2 machine authentication?
Also do I still need integration with AD?
01-05-2009 06:55 AM
If you enable EAP-TLS, you do not have to logoff to start using it. Depending on the service-pack, you might need to restart the service though. As for integration with AD, this is a must.
01-05-2009 07:04 AM
Hello,
I set it in the lab and I had to logoff the pc to trigger the machine authentication. Is there a way to trigger the machine authentication without having to logoff the pc during the initial dot1x setup( I don't have the problem during subsequent machine authentications coz ACS is caching them, I'm having MAR enabled)
I'm having a picky customer who has around 1000 users and don't want to logoff all machines during initial setup! Is there a way? what is the best practise?
01-05-2009 07:10 AM
For it to "trigger" yes, you have to logoff, since by default it only executes when there's no user logged into the machine.
Else, disable user-authentication entirely. Look here:
http://www.microsoft.com/technet/network/wifi/wififaq.mspx
And look for info on the "AuthMode" registry value.
01-05-2009 07:17 AM
Ok thx a lot for your help, already went through this document before, it helps if we need to perform only machine authentication but still we need to logoff machines to trigger the machine authetnication.
Just one more question, if we restart the netlogon service without logging off the pc can this help?
01-05-2009 07:20 AM
Not sure if that can help. But if you change registry settings, etc. then you'll need to restart the WZCSVC anyway (or reboot the machine). Either way, I don't see a way around this without actually logging out. You can deploy it via GPO though, right?
01-05-2009 07:26 AM
Yup I can deploy it via GPO, but still a logoff will be required :)
I think the customer is over demanding in this particular case, she should accept an initial logoff, right?
01-05-2009 07:29 AM
At the end of the day, you're telling the machine how to authenticate. machine-auth only, machine-auth plus user-auth, user-auth only, etc. If any of the configurations involve machine-auth, and you're logged in as a user when you make the configuration change, then if the customer has issue with this, they'd have issue with how MSFT handles this type of situation in general.
01-05-2009 07:31 AM
Yup, u're right!
Thanks a lot for your help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: