locked
EAP-TLS computer authentication with logged on user? RRS feed

  • Question

  • We set up NPS on Server 2016 and set up EAP-TLS with user and computer authentication.  Both the user and computer have certificates.

    This works for domain users, but has caused a new problem.

    When an IT administrator needs to log in using a local user admin account, the network is disconnected because local users can't get a certificate to authenticate to the wireless.


    Anyone who has access to log into the laptop will also have access to the network with those credentials.   This is the same as they would if the laptop was plugged into Ethernet.  I don't see any benefit of needing both user and computer authentication for domain joined laptops.

    We need computer authentication for wireless so users without cached credentials can sign into new laptops.

    How can we configure the policy so computer authentication works both pre and post login?



    • Edited by Kalimanne Thursday, September 20, 2018 9:04 PM
    Thursday, September 20, 2018 9:03 PM

Answers

  • Hi,

    sorry for late reply.

    You need to set authentication mode as computer only. 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by Kalimanne Thursday, September 27, 2018 12:14 PM
    Tuesday, September 25, 2018 7:29 AM

All replies

  • Hi,

    Thanks for your question.

    You can use this procedure to configure the certificate template that Active Directory® Certificate Services (AD CS) uses as the basis for computer certificates that are enrolled to domain member client computers:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731242%28v%3dws.10%29  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, September 21, 2018 2:34 AM
  • Hi,

    Thanks for your question.

    You can use this procedure to configure the certificate template that Active Directory® Certificate Services (AD CS) uses as the basis for computer certificates that are enrolled to domain member client computers:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731242%28v%3dws.10%29  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    That link has instructions on how to create and distribute certificates.  It doesn't answer my question on allowing the computer to connect to the wireless network using computer authentication both before and after login.
    Friday, September 21, 2018 12:20 PM
  • Hi,

    sorry for late reply.

    You need to set authentication mode as computer only. 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by Kalimanne Thursday, September 27, 2018 12:14 PM
    Tuesday, September 25, 2018 7:29 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, September 27, 2018 9:59 AM