802.1x

[Guest]

I am trying to enable 802.1x autentication for my network but when I try to
connect to the network it says "Windows could not find a certificate to log
you on". I have set up a CA and RADIUS server and they seem to be working
fine. I have set a computer certificate to be deployed using auto-enrollment
and I have verified that computers are receiving the computer certificate. I
have set the 802.1x authentication options on the client computers to
authenticate using computer information when available. When I request a
user certificate and try to authenitcate it works fine, but when I delete the
user cert and still have the computer cert, it fails. It seems like Windows
is not even looking at the computer certificates when it decides what cert to
send in for authentication. Any ideas? I have been pulling my hair out and
I cant figure this one out. Any help would be greatly appreciated.

 

[Steven L Umbach]

I have not used 802.1X for a while but why are you surprised that it fails
when the user certificate is removed. EAP-TLS is supposed to require both
certificates for user and computer authentication in order for the
connection to succeed. The link below is pretty good as a lab exercise and
does a good job explaining how to set up Remote Access Policies for 802.1X
wireless. Try deleting the computer certificate and leaving the user
certificate to see what happens after rebooting. If access is granted then
you know that the computer does not need to authenticate. It also may help
to look in the security log on the radius/IAS server to see if it shows what
accounts [user and or computer] are being authenticated though you may need
to enable auditing of logon events and IAS logging first. --- Steve

http://www.microsoft.com/downloads/...a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en