|
1 | 1 | --- |
2 | 2 | title: Certificate requirements when you use EAP-TLS |
3 | 3 | description: Discusses the requirements when you use Extensible Authentication Protocol (EAP) Transport Layer Security (TLS) or Protected Extensible Authentication Protocol (PEAP)-EAP-TLS in Windows Server. |
4 | | -ms.date: 01/15/2025 |
| 4 | +ms.date: 02/11/2025 |
5 | 5 | manager: dcscontentpm |
6 | 6 | audience: itpro |
7 | 7 | ms.topic: troubleshooting |
8 | | -ms.reviewer: kaushika, samyun |
| 8 | +ms.reviewer: kaushika, samyun, marcussa |
9 | 9 | ms.custom: sap:Network Connectivity and File Sharing\Network Load Balancing (NLB), csstroubleshoot |
10 | 10 | --- |
11 | 11 | # Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS |
@@ -34,7 +34,7 @@ With either EAP-TLS or PEAP with EAP-TLS, the server accepts the client's authen |
34 | 34 | - The user or the computer certificate on the client chains to a trusted root CA. |
35 | 35 | - The user or the computer certificate on the client includes the **Client Authentication** purpose. |
36 | 36 | - The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store. And the certificate passes requirements in the remote access policy. |
37 | | -- The user or the computer certificate doesn't fail any one of the certificates OID checks that are specified in the Network Policy Server (NPS) remote access policy. |
| 37 | +- The user or the computer certificate doesn't fail any one of the certificate OID checks that are specified in the Network Policy Server (NPS) remote access policy. |
38 | 38 |
|
39 | 39 | - The 802.1X client doesn't use registry-based certificates that are either smart-card certificates or certificates that are protected with a password. |
40 | 40 | - The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user. |
@@ -64,7 +64,7 @@ You can configure clients to validate server certificates by using the **Validat |
64 | 64 | - If the client is configured to trust a server certificate with a specific name, the user is prompted to decide about trusting a certificate with a different name. If the user rejects the certificate, authentication fails. If the user accepts the certificate, the certificate is added to the local computer trusted root certificate store. |
65 | 65 |
|
66 | 66 | > [!NOTE] |
67 | | -> With PEAP or with EAP-TLS authentication, servers display a list of all the installed certificates in the Certificates snap-in. However, the certificates that don't contain the **Server Authentication** purpose in EKU extensions are not displayed. |
| 67 | +> With PEAP or with EAP-TLS authentication, servers display a list of all the installed certificates in the Certificates snap-in. However, only the certificates that contain the **Server Authentication** purpose in EKU extensions are displayed. |
68 | 68 |
|
69 | 69 | ## More information |
70 | 70 |
|
|
0 commit comments