Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

EAP-TLS machine authentication

Hi, I want to know if I enable machine authentication using EAP-TLS, do I have to logoff or restart the pc which is the case for peap mschap v2 machine authentication?

Also do I still need integration with AD?

8 REPLIES
Cisco Employee

Re: EAP-TLS machine authentication

If you enable EAP-TLS, you do not have to logoff to start using it. Depending on the service-pack, you might need to restart the service though. As for integration with AD, this is a must.

Community Member

Re: EAP-TLS machine authentication

Hello,

I set it in the lab and I had to logoff the pc to trigger the machine authentication. Is there a way to trigger the machine authentication without having to logoff the pc during the initial dot1x setup( I don't have the problem during subsequent machine authentications coz ACS is caching them, I'm having MAR enabled)

I'm having a picky customer who has around 1000 users and don't want to logoff all machines during initial setup! Is there a way? what is the best practise?

Cisco Employee

Re: EAP-TLS machine authentication

For it to "trigger" yes, you have to logoff, since by default it only executes when there's no user logged into the machine.

Else, disable user-authentication entirely. Look here:

http://www.microsoft.com/technet/network/wifi/wififaq.mspx

And look for info on the "AuthMode" registry value.

Community Member

Re: EAP-TLS machine authentication

Ok thx a lot for your help, already went through this document before, it helps if we need to perform only machine authentication but still we need to logoff machines to trigger the machine authetnication.

Just one more question, if we restart the netlogon service without logging off the pc can this help?

Cisco Employee

Re: EAP-TLS machine authentication

Not sure if that can help. But if you change registry settings, etc. then you'll need to restart the WZCSVC anyway (or reboot the machine). Either way, I don't see a way around this without actually logging out. You can deploy it via GPO though, right?

Community Member

Re: EAP-TLS machine authentication

Yup I can deploy it via GPO, but still a logoff will be required :)

I think the customer is over demanding in this particular case, she should accept an initial logoff, right?

Cisco Employee

Re: EAP-TLS machine authentication

At the end of the day, you're telling the machine how to authenticate. machine-auth only, machine-auth plus user-auth, user-auth only, etc. If any of the configurations involve machine-auth, and you're logged in as a user when you make the configuration change, then if the customer has issue with this, they'd have issue with how MSFT handles this type of situation in general.

Community Member

Re: EAP-TLS machine authentication

Yup, u're right!

Thanks a lot for your help

253
Views
0
Helpful
8
Replies
CreatePlease to create content