Question : User Certificate Enrollement Problem

Hello All,

Please bare with me as I explain my question/issue. I have a Windows 2008 NPS server as my RADIUS server, which is also my certificate authority. I'm using 802.1x with EAP-TLS for user/machine authentication. I'm doing both computer and user cert validation per Microsoft's best practices recommendation. In AD I have created a GPO for user enrollement and another GPO for my wireless properties and this is also where I auto enroll my computer cert. On my NPS policies, I have 4 policies - 2 host policies and 2 user policies. For example, when a laptop part of staff computers boots up it's put into its respective VLAN based on one of the host pollicies. And then when a staff or student logs in, it puts them on their respective VLAN based on their AD user membership that matched the user policy on the NPS server.

In my testing enviornment everything worked perfect. When a staff laptop booted up it put them on the right VLAN and then when the user loged in it auto enrolled the user cert and put them on the right VLAN. I also tested putting the user in different user groups to make sure it would put the user in the correct VLAN based on AD membership and that worked great.  Well, I decided to go live with the changes and ran into an issue.

After joining the laptop to the domain, I restart and loged in using a domain account so it got the GPOs I created for the cert enrollement, validation and wireless properties. After joining it, I took it off the the network and restarted. When it booted up everything worked fine, I can see on my wireless controller that the laptop was getting an ip address. I can log in with the same account and it also got an ip address. The issue is when I tried logging in with another domain account. It logs in, but it tells me that it can't find/looking for the certificate.

So my question is: Does the user certificate enrollement only work on the first user who logs in? Did I miss a step?

If I only do "Computer only" Authentication on the wireless properties in my GPO, everything works fine. All my users can log in but it puts them on the VLAN the computer picked up when it validated at startup. When I put it back to "Re-Authenticate", it doesn't work.

Thank so much in advance for your help!

Answer : User Certificate Enrollement Problem

So it seems that I can not configure it the way I want it. The only way to get it to work is to configure it as "Computer Only" authentication an mentioned in my original question.