Group Policy and IEEE 802.1X Authentication
Group Policy settings define the various
EAP-TLS and Computer Configuration Group Policy
Updates to Computer Configuration Group Policy occur when the computer starts, achieves network connectivity, and
If a Windows wireless client configured to use EAP-TLS authentication does not have a computer certificate installed, it cannot authenticate to a wireless AP to obtain wireless LAN network connectivity. Therefore, the attempt to locate a domain controller and download the latest Computer Configuration Group Policy fails. This event is recorded in the event log.
The solution to this problem is to install a computer certificate on the Windows wireless client so that wireless LAN network connectivity is present during the location of the domain controller and the download of the Computer Configuration Group Policy.
EAP-TLS and User Configuration Group Policy
Updates to User Configuration Group Policy occur when a user
The solution to this problem is to install a computer certificate on the Windows wireless client. With an installed computer certificate, the Windows wireless client has wireless LAN network connectivity during the entire logon process, and therefore should always be able to download the latest User Configuration Group Policy.
If you are using EAP-TLS for authentication, use both computer and user certificates.
Using Third-Party CAs for Wireless Authentication
You can use third-party CAs to issue certificates for wireless access as long as the certificates installed can be
Certificates on IAS Servers
For the computer certificates installed on the IAS servers, the following must be true:
They must be installed in the Local Computer certificate store.
They must have a corresponding private key. When you view the properties of the certificate, you should see the text You Have a Private Key That Corresponds To This Certificate on the General tab.
The cryptographic service provider for the certificates must support SChannel (Secure Channel). If not, the IAS server cannot use the certificate and it is not selectable from the properties of the Smart Card Or Other Certificate EAP type from the Authentication tab on the properties of a profile for a remote access policy.
They must contain the Server Authentication EKU. The OID for Server Authentication is 126.96.36.199.188.8.131.52.1.
They must contain the FQDN of the computer account of the IAS server computer in the Subject Alternative
Additionally, the root CA certificates for the issuing CAs of the wireless client computer and
Certificates on Wireless Client Computers
For the user and computer certificates installed on wireless client computers, the following must be true:
They must have a corresponding private key.
They must contain the Client Authentication EKU (OID 184.108.40.206.220.127.116.11.2).
Computer certificates must be installed in the Local Computer certificate store.
Computer certificates must contain the FQDN of the wireless client computer account in the Subject Alternative Name field.
User certificates must be installed in the Current User certificate store.
User certificates must contain the UPN of the user account in the Subject Alternative Name field.
Additionally, the root CA certificates of the issuing CAs of the IAS server computer certificates must be installed in the Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates folder.