WPA2 with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication and
both user and computer certificates
EAP-TLS is the strongest 802.1X authentication method supported by Windows-based wireless clients. EAP-TLS uses digital certificates to provide mutual authentication, in which the wireless client authenticates itself to the authentication server and
vice versa. EAP-TLS authentication requires a public key infrastructure (PKI) to issue certificates and keep them current. For the highest security, configure your PKI to issue both user and computer certificates for wireless access.
Can someone please explain how you configure both your client and backend (Radius) infrastructure to process two certificates? From my experience, when you configure your supplicant you have to instruct it to present either a user cert OR a computer cert...
not both. On Windowws XP you can do this via the EAPOL reg key I think.... on WIndows 7 you just select the drop down box....
Am I missing something, or is there a way to ensure both certificate types are presented by the client machine and authenticated by the Radius server?
EAP does not provide mechanisms that perform dual authentication — that is, the authentication of both the computer being used to access the network and the user who is attempting to connect. For this reason, you are not required to issue both
computer and user certificates when you deploy EAP and PEAP with certificate-based authentication types.
They go onto explain how computer certificates can be issued (seperately to user certs).
Using autoenrollment. When you deploy certificates using autoenrollment, you configure the CA to automatically enroll certificates to computers that are members of the Domain Computers group and to users who are members of the Domain
Users group. No additional hardware is required to autoenroll certificates, because the certificates are stored on the computer that is connecting to the network. When a computer receives a computer or user certificate from the CA, the certificate is stored
locally in a data store named the certificate store.
In other words - you can authenticate via computer and user certificate - it just can't happen at the same time. Computer cert auth would happen at computer boot (pre GINA-logon) and I believe user cert authentication then happens again after user GINA-logon.
Obviously you'd need two different Radius policies to accomodate this scenario.
If anyone has configured this scenario and has some pointers, let me know.
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.