none
Multiple Client Authentication Certificates RRS feed

  • Question

  • We recently migrated over to AD from Edirectory.  We had 802.1x setup with a manually created certificate which was required to be in the local computer personal certificates folder.  We have now began trying out Direct Access and have noticed that with windows 7 a Client authentication Certificate (same as 802.1x) is required.  We can't get both certificates to work at the same time.  We plan to change over our 802.1x in the future....  Is there anything we can do to have clients connect with direct access in the mean while?
    Wednesday, June 17, 2015 7:43 PM

Answers

  • Yes... 

    We just create two different certificates templates but they are trusted by the same authorities.

    Maybe because you are using two certificates for Client Authentication, your Windows is trying the DirectAccess certificate that is not trusted for your 802.1x then reports a failure without trying the second certificate.

    Gerald

    • Marked as answer by Techwww Tuesday, June 23, 2015 7:43 PM
    Tuesday, June 23, 2015 8:04 AM

All replies

  • I am not able to get you, can you please be more specific on what's your question.
    Monday, June 22, 2015 9:35 AM
  • Hi,

    Are you talking about 802.1x to authenticate your computer on your network like with Cisco NAC?
    I have a working DirectAccess laptop with both certificates (One for NAC and one for DA) so it works.

    Gerald 

    Monday, June 22, 2015 2:01 PM
  • Hi,

    We aren't running a Cisco NAC, but essentially the same setup.  Was there anything special you had to do to get that setup to work?  Whenever we "request" a certificate for DA our wireless will no longer authenticate 802.1x until we delete that certificate, and reboot.  The original certificate was created manually using openssl PKCS12.  


    Monday, June 22, 2015 3:30 PM
  • Clients get a "failure reason:Explicit Eap failure recieved" evet id 8002...  Sorry should have put that on previous post.
    Monday, June 22, 2015 3:36 PM
  • We’re using a different setup but basically, this is a 2-tier PKI with the Offline RootCA (Not from Microsoft) and a Sub-CA (Microsoft) which provides both NAC and DirectAccess Certificates for the laptops.

    Debug of certificates is sometimes really difficult and I had some troubles also ;-)

    Have you tried this hotfix? https://support.microsoft.com/en-us/kb/2494172

    Gerald

    Monday, June 22, 2015 7:22 PM
  • Just tried it with no success.  So both of your certificates are coming from the same CA then?

    Monday, June 22, 2015 8:41 PM
  • Yes... 

    We just create two different certificates templates but they are trusted by the same authorities.

    Maybe because you are using two certificates for Client Authentication, your Windows is trying the DirectAccess certificate that is not trusted for your 802.1x then reports a failure without trying the second certificate.

    Gerald

    • Marked as answer by Techwww Tuesday, June 23, 2015 7:43 PM
    Tuesday, June 23, 2015 8:04 AM
  • Hi

    Ya I am thinking thats what the issue is...  We'll have to wait until we change our 802.1x

    Thanks for all the help

    Tuesday, June 23, 2015 7:43 PM