11-20-2009 07:07 AM - edited 07-03-2021 06:16 PM
Hi,
I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN. I can make each user get a user cert from my CA and if I use an admin account I can get windows to put these certs into the machine store, but when it comes to a login attempt my RADIUS failure messages look like host/axelfoley001 instead of host/MACHINE001xp, which is how the login looks on RADIUS when using EAP/PEAP.
Clients are WinXPSP3, and I'm using CiscoACS 4.1, MS Certificate Services CA.
When a user gets its own cert it can log into the WLAN fine after already logging onto the machine, but i can't seem to figure out how to pass the machine name with the cert on machine login (pre-auth).
Do I need to alter some setting in the cert to pass a different user/machine name or do i need to get a different kind of cert from the CA?
Any help will be greatfully received.
Thanks,
Solved! Go to Solution.
11-21-2009 07:38 PM
It sounds like your supplicant isn't configured to use machine credentials. In WZC there is a checkbox for "user machine credentials if available".... Perhaps that isn't enabled?
Or perhaps you don't have a machine cert on the computer. You mentioned a "user cert", but I think if you want machine credentials, don't you need a certificate for the machine itself? I could be wrong on this though.
11-20-2009 11:32 AM
Are you trying to do machine only authentication? If you are using Wireless Zero Config, then have you configured the client for machine only auth?
11-21-2009 07:38 PM
It sounds like your supplicant isn't configured to use machine credentials. In WZC there is a checkbox for "user machine credentials if available".... Perhaps that isn't enabled?
Or perhaps you don't have a machine cert on the computer. You mentioned a "user cert", but I think if you want machine credentials, don't you need a certificate for the machine itself? I could be wrong on this though.
12-04-2009 06:20 AM
it was an issue with the machine certificate. I've not actually had it working yet, but I'm sure a proper machine cert from the CA is what it needs.
thanks for the responses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide