Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EAP-TLS Machine Authentication/Certificate

Hi,

I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN.  I can make each user get a user cert from my CA and if I use an admin account I can get windows to put these certs into the machine store, but when it comes to a login attempt my RADIUS failure messages look like host/axelfoley001 instead of host/MACHINE001xp, which is how the login looks on RADIUS when using EAP/PEAP.

Clients are WinXPSP3, and I'm using CiscoACS 4.1, MS Certificate Services CA.

When a user gets its own cert it can log into the WLAN fine after already logging onto the machine, but i can't seem to figure out how to pass the machine name with the cert on machine login (pre-auth).

Do I need to alter some setting in the cert to pass a different user/machine name or do i need to get a different kind of cert from the CA?

Any help will be greatfully received.

Thanks,

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: EAP-TLS Machine Authentication/Certificate

It sounds like your supplicant isn't configured to use machine credentials. In WZC there is a checkbox for "user machine credentials if available".... Perhaps that isn't enabled?

Or perhaps you don't have a machine cert on the computer.  You mentioned a "user cert", but I think if you want machine credentials, don't you need a certificate for the machine itself? I could be wrong on this though.

3 REPLIES

Re: EAP-TLS Machine Authentication/Certificate

Are you trying to do machine only authentication?  If you are using Wireless Zero Config, then have you configured the client for machine only auth?

http://support.microsoft.com/kb/929847

Silver

Re: EAP-TLS Machine Authentication/Certificate

It sounds like your supplicant isn't configured to use machine credentials. In WZC there is a checkbox for "user machine credentials if available".... Perhaps that isn't enabled?

Or perhaps you don't have a machine cert on the computer.  You mentioned a "user cert", but I think if you want machine credentials, don't you need a certificate for the machine itself? I could be wrong on this though.

New Member

Re: EAP-TLS Machine Authentication/Certificate

it was an issue with the machine certificate.  I've not actually had it working yet, but I'm sure a proper machine cert from the CA is what it needs.

thanks for the responses.

3074
Views
0
Helpful
3
Replies
CreatePlease login to create content