Security

Reply
Highlighted
Occasional Contributor I

EAP-TLS user certificate race condition

Hi all,

 

We've rolled out EAP-TLS authentication (moving away from EAP-PEAP) to our managed devices and all is working succesfully apart from one specific scenario, that is new users logging onto a laptop for the first time via wireless.  A search has shown that I'm not the only one to hit this and it's pretty much a race condition with Windows not having the user cert to get on the network, to get the cert it needs to get on the network.

 

The SSID accepts both machine and user certificates for connection, so the observed behaviour is that Windows boots to login screen and connects using the machine cert.  It then uses this to contact domain controllers to authenticate but at some point shortly after, tries to switch to the user cert, fails as that's not present and doesn't just fall back to the machine cert (because that would be far too sensible).

 

Of course to really confuse matters one in every three or four attempts actually works and the user cert is pulled from our AD and the machine happily switches over to using it.  So definitely seems like a race condition to me.

 

My question is has anyone succesfully got past this?  The recommendation was always to revert to EAP-PEAP but we're trying to move away from it so that's not an option.  Did people find a magic windows setting?  Did people use a different supplicant to the Windows one?  Did they just give up and tell people to wire for their first login?

 

Thanks in advance,

 

Luke

 

 

MVP Guru

Re: EAP-TLS user certificate race condition

Best approach is to set the profile to do Machine authentication only when doing certificate based authentication to prevent the issue you are experiencing









Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I

Re: EAP-TLS user certificate race condition

How I've actually got round it presently (although it's not the prettiest of solutions) is to have a secondary GPO pushed wireless profile that connects to the exact same SSID but only does machine certificate authentication.  Therefore if the user cert isn't present it falls back to this which enables the user cert to actually be pulled.  When the user next restarts it connects to the standard profile (higher priority in the GPO) which is set to use both computer and user certs.  It works but it feels hacky so I'm holding my breath that there's a nicer solution that still allows us to banish EAP-PEAP.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: