802.1x in Windows

Matthew Newton mcn4 at leicester.ac.uk
Tue Sep 6 11:26:07 CEST 2016

On Tue, Sep 06, 2016 at 09:03:14AM +0200, Michael Schwartzkopff wrote:
> this might be a little bit off topic, but perhaps someone can help here.

A little.

> I want to set up 802.1x for windows systems. In windows 7 an higher, is it 
> possible to use certificates for the client authentication if no user is logged 
> in, but passwords for the user authentication?

For Windows 7 at least, you can use

  "user authentication" which is either with certificates (EAP-TLS)
  or username/password (PEAP/MSCHAPv2).


  "machine authentication" which usually uses certificates
  (EAP-TLS), but I believe can auth with the username and password
  of the computer's AD account with MSCHAPv2.

You can't use both at the same time (e.g. PEAP/MSCHAPv2 with the
"machine" certificate sent as a client certificate in PEAP and the
user's password sent in the MSCHAPv2 part) because Windows won't
let you send a client certificate as part of PEAP, even though
it's technically allowed. EAP-TLS is certificate only.

There is an option somewhere that lets you use "machine"
authentication at boot time, and then to re-authenticate using the
user's credentials when they log in to Windows, but I forget where
it is now. This sounds like it's what you want.

Windows 8/10 may be more or less flexible. They at least now
permit EAP-TTLS/PAP, rather than just PEAP/MSCHAPv2.

You can also do PEAP/EAP-TLS, which is of no real benefit over the
plain EAP-TLS, except that it allows you to gather system
statement-of-health (SoH) data on the RADIUS server.

FreeRADIUS can handle all of the above.


Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list