locked
eap-tls and nps RRS feed

  • Question

  • If I use eap-tls (i.e. smartcard) with NPS, does the client providing its certificate need an AD account ? From experience it seems to be the case but I don't see why ; if authentication is by certificate then the server should need only to trust what the client provides without  reference to AD. Obviously there can be no constraints like checking group memberships.
    Friday, April 7, 2017 10:44 AM

All replies

  • If I use eap-tls (i.e. smartcard) with NPS, does the client providing its certificate need an AD account ? From experience it seems to be the case but I don't see why ; if authentication is by certificate then the server should need only to trust what the client provides without  reference to AD. Obviously there can be no constraints like checking group memberships.

    Hi,

    For Network Policy Server (NPS), EAP-TLS is an EAP type that is used in certificate-based security environments. EAP-TLS provides mutual authentication between the client and NPS. It only determines who is authorized to connect to the network.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 10, 2017 9:51 AM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, please feel free to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 14, 2017 4:01 AM
  • Not resolved yet, but this article

    https://msdn.microsoft.com/en-us/library/cc731363(v=ws.11).aspx

    shows a mapped AD account will always work, and a user client certificate has to have a UPN as a SAN, which effectively should mean there has to be an AD account. That leaves a client certificate for a machine account, so I will test that in our development network.

    Friday, April 14, 2017 10:30 PM
  • Hi,

    》》That leaves a client certificate for a machine account, so I will test that in our development network.

    Sure,please update if you get something new.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, April 18, 2017 2:38 AM