Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

dot1x authentication for non domain computers



We have setup an SSID with 802.1x EAP which supports "PEAP" and "smart card or other certificate" authentication modes. Users log in using  their domain credentials. What we want to achieve is this:


We have a couple of machines which we want to connect to but without entering user credentials. We want to use a certificate from our internal CA to authenticate the client on SSID. What is the correct way of doing it?


Is there any way (or any other post on this forum) which highlight how we can get the certificate from our CA to enroll the machine manually? Systems on domain are already enrolled obviously  but the systems we want to connect will be like Kiosk machine and are not on domain.


Thanks in anticipation.



Guru Elite
Posts: 20,017
Registered: ‎03-29-2007

Re: dot1x authentication for non domain computers

You should look on Microsoft's forum to do this.  Most people stick with WPA2 and PEAP because issuing, distributing, revoking certificates are so time and labor intensive.  In addition, you then have to make sure what certificate is assigned to whom and then have someone who has the skills in your company maintain and revoke their certificate.  It is hard enough keeping track of accounts in active directory, but it is much harder to keep track of EAP-TLS certificates for non-domain users, because you do not have control over their devices.  


ClearPass Onboard simplifies distributing, issuing, revoking and tying an EAP-TLS certificate to a user account for non-domain devices.  If you do not have something like ClearPass Onboard, you are looking at a great deal of management overhead...

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides :
Search Airheads
Showing results for 
Search instead for 
Did you mean: