5

I have a Wired 802.1x deployment using TLS machine authentication on Windows 7 (built-in 802.1x supplicant) with the necessary certs (FreeRadius v2.2.3 generated on Linux). Cisco C2960 POE switch is being used.

On Windows 7:

The Root CA exists in the Local Computer -> Trusted Root Certification store

The Client cert exists in the Local Computer -> Personal store.

Both certs are valid and 802.1x works perfectly fine.

However, when there is another valid cert in in the Local Computer -> Personal store with a name starting with a higher letter than the Radius client cert (D higher than L in the alphabet), then that cert (with the higher letter) will get sent to the Radius server and will not authenticate properly.

Some of these other valid certs are needed so Iā€™m not sure if there is a fix for this or if this is happening by design (or if Windows 7 is just using the cert at the "top of the list" in the cert store). I've tried the Microsoft hotfix KB2769121 (802.1X authentication fails on a Windows 7-based or Windows 2008 R2-based computer that has multiple certificates) but it did not work. Is anyone else having this problem? Any help would be greatly appreciated.

  • Are you using the built-in Windows supplicant for this, or a third-party one from a vendor like Cisco? ā€“ MDMarra Dec 30 '13 at 18:50
  • Yes it's the built-in Windows 7 supplicant. Using the "Smart card or other certificate" authentication method -> When Connecting: "Use a certificate on this computer" and "Use simple certificate selection" are both checked. "Validate server certificate" is checked with the FreeRadius Root CA selected in the list. ā€“ Jude_Quintana Dec 30 '13 at 19:59

1 Answers1

-1

You'll want to check out the options for certificate selection, don't use the simple certificate selection. You should be able to define what qualifies as a cert to be used for 802.1x