Group Policy and IEEE 802.1X Authentication

Group Policy and IEEE 802.1X Authentication

Group Policy settings define the various components of the user s desktop environment that a system administrator needs to manage; for example, the programs that are available to users, the programs that appear on the user s desktop, and Start menu options. Group Policy settings you specify are contained in a Group Policy object, which is in turn associated with selected Active Directory container objects: sites, domains, or organizational units. Group Policy includes settings for User Configuration, which affect users, and Computer Configuration, which affect computers.

EAP-TLS and Computer Configuration Group Policy

Updates to Computer Configuration Group Policy occur when the computer starts, achieves network connectivity, and locates a domain controller. The computer attempts to download the latest Computer Configuration Group Policy based on the computer s membership in a domain system container.

If a Windows wireless client configured to use EAP-TLS authentication does not have a computer certificate installed, it cannot authenticate to a wireless AP to obtain wireless LAN network connectivity. Therefore, the attempt to locate a domain controller and download the latest Computer Configuration Group Policy fails. This event is recorded in the event log.

The solution to this problem is to install a computer certificate on the Windows wireless client so that wireless LAN network connectivity is present during the location of the domain controller and the download of the Computer Configuration Group Policy.

EAP-TLS and User Configuration Group Policy

Updates to User Configuration Group Policy occur when a user supplies correct credentials and logs on to the domain. If a computer certificate is not installed (and the computer has not authenticated itself against the wireless AP), the logon uses cached credentials. After the user certificate in the user s certificate store becomes available, the Windows wireless client configured to use EAP-TLS authentication attempts to authenticate against the wireless AP. Depending on how long the wireless authentication takes, the download of the User Configuration Group Policy might also fail. This event is recorded in the event log.

The solution to this problem is to install a computer certificate on the Windows wireless client. With an installed computer certificate, the Windows wireless client has wireless LAN network connectivity during the entire logon process, and therefore should always be able to download the latest User Configuration Group Policy.

If you are using EAP-TLS for authentication, use both computer and user certificates.