Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

EAP-TLS login process.

Hi all.

I'm used to using EAP-PEAP for wireless authentication, but now have a need to look at EAP-TLS (customer request).

I'm comfortable with certificates, but I'm trying to understand the standard login process for a Windows device. Is it standard practise to use the machine authentication using EAP-TLS - for example the machine name = CN (Common Name) attribute in the client certificate? I’m thinking, maybe the process is as follows;

  • Machine powers on...
  • In the background, EAP-TLS is used to authenticate the computer (machine authentication) to AD. This is done using the computer name (in the certificate using the CN attribute) and verifying against AD.
  • At this point, the machine is authenticated and connected to the wireless network (has IP connectivity).
  • The user now enters his/her username/password in the windows login box and authenticates directly to the AD domain - exactly the same as if they had a wired connection.

Is the above understanding correct? I'm trying to get my head around the user being authenticated without a password - which is the basis for EAP-TLS as I understand. Any common deployment strategies or advice will be highly appreciated :-)



Cisco Employee

EAP-TLS login process.

EAP-TLS login process.

Hi Dazzler,

If you want to use machine authentication you are not limited to EAP-TLS. PEAP also supports machine authentication (PEAP-MSCHAPv2 and PEAP-TLS).

Note that machine authentication is not same as EAP-TLS. With machine authentication you just try to find if the machine is a member of the domain or not. This is not necessarily utilizing any certificates for either the user or the machine.

Check this:

This discussion can also be useful:



You want to say "Thank you"?
Don't. Just rate the useful answers,
that is more useful than "Thank you".

Rating useful replies is more useful than saying "Thank you"
CreatePlease to create content