RE: 802.1x, Computers, Wired Security


Hello,

Yes, you cannot use PEAP-MS-CHAPv2 for computer authentication because user
credentials (user name and password) are required for authentication when
using PEAP-MS-CHAPv2. You can use PEAP-TLS or EAP-TLS for computer
authentication.

To use PEAP-TLS or EAP-TLS for computer authentication, you need to issue a
computer certificate from CA on the client for connections that use Secure
Sockets Layer (SSL) encryption and Transport Level Security (TLS)
encryption. Please refer to the following Microsoft Knowledge Base article
to ensure that client and server certificate requirements for EAP-TLS have
been met.

814394 Certificate requirements when you use EAP-TLS or PEAP with
EAP-TLS
http://support.microsoft.com/kb/814394

On the Windows XP SP3, by default the authentication mode is set to 1 for
wired 802.1X network. In this scenario, if computer authentication is
successful, a subsequent user logon results in a re-authentication with
user credentials. The user credentials are used for subsequent
authentication or re-authentication. You may configure the authentication
mode to Machine Only to enable computer-only authentication to see whether
it works.

949984 Changes to the 802.1X-based wired network connection
settings in Windows XP Service Pack 3
http://support.microsoft.com/kb/949984/

929847 How to enable computer-only authentication for a
802.1X-based network in Windows Vista
http://support.microsoft.com/kb/929847/

Hope it helps. If there's anything else about this issue I can do for you,
please do not hesitate to let me know.



Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • RE: IEEE 802.1x & dynamic vlan assignment
    ... You must configure the 802.1X client to send an EAP-logoff ... user authentication behavior of Windows XP and Windows Server 2003. ... - Computer authentication mode. ...
    (Focus-Microsoft)
  • RE: IEEE 802.1x & dynamic vlan assignment
    ... As when the workstation send the EAPOL logoff message the switch puts the ... user authentication behavior of Windows XP and Windows Server 2003. ... - Computer authentication mode. ...
    (Focus-Microsoft)
  • Re: XPSP2 Wireless Network Startup with IAS and PEAP Auth.
    ... > You only have one choice here, and that's to do Computer Authentication ... > troubleshooting RADIUS using IAS" ... >> We have now successfully configured wireless network access over WPA, ...
    (microsoft.public.internet.radius)
  • RE: 802.1x, Computers, Wired Security
    ... My client is XPSP3 so where can I find the XML files to enable computer auth? ... you cannot use PEAP-MS-CHAPv2 for computer authentication because user ... user credentials. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cisco 1242 AP + 2000 IAS with WPA2
    ... for default windows tries to authenticate via user certificate. ... that tells your windows to do authentication via machine cert. ... successful, ... Computer authentication is not attempted again until ...
    (microsoft.public.internet.radius)
Loading