HI Tim,
Why machine/computer authentication is recomended ?
Computer authetication there is disadvantage. It won't work for role mapping as it can't get the detail attributes (user group) from AD.
I faced this problem in role mapping + enforcement when windows client is machine/computer authentication.
TAC told me windows client need to set to user only or "user or computer authentcaition ".
User authentication will provide more complete attribtues information.
Thanks.
------------------------------
Choh Koon Tan
------------------------------
Original Message:
Sent: Jun 01, 2021 04:10 PM
From: Tim C
Subject: EAP-TLS user & machine auth + local admin account
No, you'd need to just use machine-based identity (which is the recommended deployment model).
------------------------------
Tim C
Original Message:
Sent: Jun 01, 2021 01:01 PM
From: Maxime Mourand
Subject: EAP-TLS user & machine auth + local admin account
Hi guys,
I'm wondering if anyone knows about a workaround for an issue I stumbled across lately.
I'm currently using EAP-TLS for Windows devices with machine + user authentication on the wired side. All is working well and both certificates are authenticating fine.The Windows authentication profiles are pushed by GPO.
When @ the login prompt, I machine auth successfully and then my problem is when I log in with the local admin account. Since this account is not part of AD, it has no user certificate enrolled. I would expect a method to tell the Windows PC that if no user cert exist in the store, fallback to machine certificate even if a user session is logged in. Since settings are managed by GPO, its greyed out and impossible to modify. Then my only options seems to be either having a generic user cert on a USB stick or use netsh to modify profile with a script and override GPO.
Anyone had this problem and found a setting to overcome it?
Thanks :)
------------------------------
Maxime Mourand
------------------------------