Hi,
I've tried looking for information on this but most led me to use auto
cert enrollment policy in the GPO for Active Directory. This means
that when a new machine joins the AD, it will receive a certificate
stored in the local computer certificate store. But, what about
computers already joined to the AD but did not receive any cert
because the policy was not enabled then? How does one generate a
machine cert? What type of cert are we requesting from the CA? Also,
what is the user credential we use to access the CA when we want to
request a new cert from web cert enrolment (http://ca/certsrv)?
I tried generating a user cert and importing into the Personal store
of the "local computer" cert store but when I tried to use CSSC to
perform a machine (EAP-TLS) and user login (any eap methods), i never
see the machine trying authentication with the ACS. If i enable MAR
with "no-access" for failed machine authentication, naturally i will
not be able to pass authentication. But i also don't see any failed
attempts from my machine in the ACS logs. I've tried user
authentication only with EAP-TLS/PEAP/FAST and all worked flawlessly.
I've also configured all the necessary ACS settings at the external
database (windows database) configurations which allows EAP-TLS for
machine authentication. I suspect my cert in concern for machine
authentication is not correct hence machine authentication does not
even take place.
Any directions to that is appreciated.
Alvin B
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
