Type of certificate for EAP-TLS certificate based authentication RRS feed

  • Question

  • We would like to set up both domain computers and non-domain computers to access our wireless LAN without the need for the user to enter their domain login credentials and remember to update the wireless settings every time they change their domain password.

    We now use PEAP CHAPv2 and it works OK for domain computers, but it is a hassle for non-domain laptops when passwords expire, so we want to change it to EAP-TLS and import authentication certificates onto the non-domain devices.

    Are you supposed to use a certificate from your internal domain CA or should you use a third party commercial certificate such as Verisign or GoDaddy etc.?
    I thought I read somewhere that you are supposed to use an internal Enterprise CA, but if you did that, wouldn't the non-domain devices give warnings and errors about using a certificate from an untrusted Root CA?  Only the domain PCs could trust an internally generated certificate by default.

    How are the certificates named?  Are they named to match the DNS host name of the Radius server (such as "RadiusServer2.domain.local") the way you name a SSL cert for a web server or are the certificates named a friendly name such as "Office Wireless Cert?" 

    Friday, March 7, 2014 6:04 AM


All replies

  • Hi,

    Based on my research, with EAP-TLS, the client certificate should be issued by an enterprise CA or it maps to a user account or to a computer account in the AD DS.

    In addition, it seems that enterprise CA can used for non-domain computers. For non-domain member computers, you need to manually import or obtain the certificate by using the Web enrollment tool.

    For more detailed information, please refer to the links below:

    Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS

    EAP-TLS-based Authenticated Wireless Access Design

    Certificate Templates and Requirements

    Best regards,


    • Proposed as answer by Susie Long Tuesday, March 18, 2014 5:52 AM
    • Marked as answer by Susie Long Friday, March 21, 2014 6:38 AM
    Tuesday, March 11, 2014 3:22 AM
  • So, it looks like the client certificate has to come from your Enterprise CA, but the server certificate could be either your Enterprise CA or a third party CA.  However, it looks like if your choose to use your own Enterprise CA for the server certificate non-domain computers and devices would pop up a warning about it since it would not trust your Enterprise CA as a trusted root authority.

    So, if you want the installation to go smoothly on non-domain devices, you should use one of the common third party root CAs that are trusted by default for your Radius server's CA?

    The link says:

    • The name in the Subject line of the server certificate matches the name that is configured on the client for the connection.
    • For wireless clients, the Subject Alternative Name (SubjectAltName) extension contains the server's fully qualified domain name (FQDN).

    What is the difference between the Subject line name and the Subject Alternative Name?

    Are they both the same as the host name of the server?

    Tuesday, March 11, 2014 4:07 AM
  • Hi,

    Based on my research, Subject Alternative Names are a X509 Version 3 (RFC 2459) extension to allow an SSL certificate to specify multiple names that the certificate should match. SubjectAltName can contain email addresses, IP addresses, regular DNS host names, etc. In the article, I think the SubjectAltName refers to the server's FQDN. While the name in the Subject line would be the Common Name for the certificate. In general, it is the site's domain name.

    Best regards,


    Monday, March 17, 2014 2:27 AM