New Contributor

User auth with eap-tls and Windows sso

As KB2717916 points out,  Windows user  wireless single signon can  never work  with certificate-based protocols because when network authentication is attempted before user logon   there is no user context from which to retrieve a certificate. Machine authentication does work, but it's not ideal to then relax security and only do user network auth after logon. It should be possible to switch to ms-chap after machine auth   and forward credentials to the radius server for user auth, but dashed if I can see how. Anyone any ideas ? Client is Windows 7, login is to a Windows domain. 

Guru Elite

Re: User auth with eap-tls and Windows sso

It is not possible with the built in Windows supplicant.  You can only define a single EAP type (TLS or PEAP) for a single WLAN connection.  


Most users who do EAP-TLS, for seamless connectivity just do machine-only TLS, where they create the profile and under IEEE and Advanced allow the computer to authenticate at the ctrl-alt-delete as well as when the user is logged in.  At that point, the computer security profile matches that of a wired computer, where only an authorized user can login to an already trusted device.


Again, using the method above, the user does not login to the WLAN, but the trusted domain computer connects using a method that cannot be duplicated or re-used (EAP-TLS), and then the user is allowed to login to that trusted device that is connecting securely.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
Showing results for 
Search instead for 
Did you mean: