Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EAP-TLS User Certificate Question

I've setup a test ACS server and have everything functioning correctly including the WLAN. However, is there anyway for EAP-TLS to use ONLY the machine certificate and not the user certificate? We are not currently setup with per-user certificates. I'm guessing not on this... My primary question then is with User Certificates, how do you handle the following scenerio:

I have many CoW's (computer on wheels) through out the hospital that nurses use for inputting patient information. They all have a simple generic username/password (BADDD!!!!) so with this user it won't be hard to have default_user certificate install on the machines. But what if Doctor X decideds to walk up to one of these CoW's and wants to logout and log back in with his user/password on a machine he's never used before. How do we handle making sure he's able to connect if doesn't already have a cert on this computer? I'm quite mistified by this.



New Member

Re: EAP-TLS User Certificate Question

If you are using the MS Supplicant, you need the following registry settings:

"HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMode", 2, "REG_DWORD"

"HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode", 3, "REG_DWORD"

This forces it to only use hardware certificates and sets the authentication to do the correct RFC polling.

As for the other issue, MS CA user certs do not "roam". Yet. There is discussion of roaming credentials being in Windows 7, but not entirely what that means. Roaming certificates can be easier with a product like Venafi. There "Encryption Management" tools are certificate management suites. The do have roaming management, or at least did when we talked to them.

Oh, and if you use two CAs (hardware and user), the separation keeps it straight too.

New Member

Re: EAP-TLS User Certificate Question

Thank you! I've looked at the authmode/supplicantmode in the past but had not tried it in trying to get user authentication working as well. I appreciate your answer on the roaming profiles, clears quite a bit up. I do have a question though. I've noticed with my laptop with the reg hack and machine authentication only, i seem to authenticate alot? Looking at my ACS server logs it can span between a few minutes to 30 minutes. Doesn't seemed to tied to the EAP timeout period either. Any ideas on this? I ask because I noticed at one point I lost my IP and then it reauthenticated.

New Member

Re: EAP-TLS User Certificate Question

I would guess that you are crossing from access point to access point. We do wired, so do not see this ;)

New Member

Re: EAP-TLS User Certificate Question

Yeah, I ment to put in my message that I was stationary. So not sure what it is. Trying PEAP-TLS with machine authentication, see what that does.