none
User EAP-TLS authentication for the first time RRS feed

  • Question

  • Hi community,

    we are trying to develop 802.1X authentication to the network (LAN and WLAN) using the native Windows supplicant. The recommendation for the internal security department is to use certificates from the authentication. Second requirement is to have a user identity when an user is on a corporate machine.

    Machine and user certificates are auto-enrolled using GPO policy.

    Then we've configured clients using the GPO policy to have the required settings (same on LAN and WLAN network), including certificate selection

    - 802.1X auth credential: Machine or user credential

    - EAP type: Smart Card or other certificate

    Machine certificates are enrolled during the imaging process when a machine is online and joined to the AD.

    The problem which we currently have is I would say chicken or the egg problem.

    When a user is logging on the machine for the first time, there is no certificate for such user. From the observation, there is around 50% change that the user cert auto-enrollment is finished during logon on LAN. But on WLAN is't failing all the time.

    We are looking for some option to extend the machine authentication session to provide more time for the user cert auto-enrollment when the user is visiting the machine for the first time.

    Is there any simple way how to auto-configure the supplicant to use "Machine credential" mode only in the case where is no user certificate available. And then re-configure the supplicant to the "Machine or User credentials" mode when there is a user certificate?

    Thanks

    Pavel

    Monday, September 16, 2019 7:12 AM

All replies

  • Hi Pavel ,

    This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

    If you have any updates during this process, please feel free to let me know.

    Best Regards,

    Candy



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thursday, September 19, 2019 9:24 AM
  • Hi Candy,

    thank you for your efforts. Looking forward for your update.

    Best regards
    Pavel

    Friday, September 20, 2019 7:04 AM
  • Hi Pavel,

    I am sorry that this issue still hasn't been resolved.

    I did not find any related documents talking about this scenario.

    If there is still no progress, I would suggest you contact Microsoft Customer Services and Support where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this question.

    Here is the link:

    http://support.microsoft.com/gp/customer-service-phone-numbers/en-us

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Friday, September 27, 2019 9:40 AM