EAP-TLS login process.

Unanswered Question
Dec 6th, 2011

Hi all.

I'm used to using EAP-PEAP for wireless authentication, but now have a need to look at EAP-TLS (customer request).

I'm comfortable with certificates, but I'm trying to understand the standard login process for a Windows device. Is it standard practise to use the machine authentication using EAP-TLS - for example the machine name = CN (Common Name) attribute in the client certificate? I’m thinking, maybe the process is as follows;

  • Machine powers on...
  • In the background, EAP-TLS is used to authenticate the computer (machine authentication) to AD. This is done using the computer name (in the certificate using the CN attribute) and verifying against AD.
  • At this point, the machine is authenticated and connected to the wireless network (has IP connectivity).
  • The user now enters his/her username/password in the windows login box and authenticates directly to the AD domain - exactly the same as if they had a wired connection.

Is the above understanding correct? I'm trying to get my head around the user being authenticated without a password - which is the basis for EAP-TLS as I understand. Any common deployment strategies or advice will be highly appreciated :-)

Thanks

Dazzler

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 2 (1 ratings)
Amjad Abdullah Sun, 08/26/2012 - 23:47

Hi Dazzler,

If you want to use machine authentication you are not limited to EAP-TLS. PEAP also supports machine authentication (PEAP-MSCHAPv2 and PEAP-TLS).

Note that machine authentication is not same as EAP-TLS. With machine authentication you just try to find if the machine is a member of the domain or not. This is not necessarily utilizing any certificates for either the user or the machine.

Check this: http://tiny.cc/g3sojw

This discussion can also be useful:

https://supportforums.cisco.com/thread/2053236

HTH

Amjad

You want to say "Thank you"?
Don't. Just rate the useful answers,
that is more useful than "Thank you".

Actions

Login or Register to take actions

This Discussion

Posted December 6, 2011 at 3:55 PM
Stats:
Replies:2 Avg. Rating:2
Views:1390 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard