I'm used to using EAP-PEAP for wireless authentication, but now have a need to look at EAP-TLS (customer request).
I'm comfortable with certificates, but I'm trying to understand the standard login process for a Windows device. Is it standard practise to use the machine authentication using EAP-TLS - for example the machine name = CN (Common Name) attribute in the client certificate? I’m thinking, maybe the process is as follows;
- Machine powers on...
- In the background, EAP-TLS is used to authenticate the computer (machine authentication) to AD. This is done using the computer name (in the certificate using the CN attribute) and verifying against AD.
- At this point, the machine is authenticated and connected to the wireless network (has IP connectivity).
- The user now enters his/her username/password in the windows login box and authenticates directly to the AD domain - exactly the same as if they had a wired connection.
Is the above understanding correct? I'm trying to get my head around the user being authenticated without a password - which is the basis for EAP-TLS as I understand. Any common deployment strategies or advice will be highly appreciated :-)