0
Sooo ... We have the the mandatory requirement that clients who want to join our wireless LAN to present a valid machine certificate issued by our in-house root CA. This is done to prevent from malicious users who have a valid username/password combination to join the wireless LAN. After all, it's easier to obtain a working username/password combo than a valid certificate.
Prior to Windows 8.x we used EAP-TLS as outer authentication protocol to satisfy this requirement and used the inner authentication protocol to validate username / password against our AD.
With Windows 8.1, it seems that EAP-TLS is no longer supported (at least it can't be configured in the GUI. If I'm mistaken here, please provide a link how it's done). So I started experimenting with EAP-TTLS as outer authentication protocol and EAP-MSCHAPv2 as inner authentication protocol. While this works, I'm unable to include a client certificate during the TLS handshake phase. I cannot for the heck of it find a way to tell Windows to do so.
Am I right to assume that there is NO WAY to configure the native Windows 8.1 802.1X supplicant to provide a client certificate when EAP-TTLS is used as outer authentication protocol?
RFC 5281 explicitly states that client certificate validation is supported during phase 1, so I cannot quite see why Microsoft would have omitted an option in the GUI to configure this.
lol. anyone? :) – lightxx – 2015-04-20T10:01:51.397