Certificate selection when using 802.1x authentication

%3CLINGO-SUB%20id%3D%22lingo-sub-3101182%22%20slang%3D%22en-US%22%3ECertificate%20selection%20when%20using%20802.1x%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3101182%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20I%20have%20a%20question%20on%20how%20a%20certificate%20is%20selected%20from%20a%20computers%20personal%20certificates%20when%20using%20802.1x%20for%20wireless%20authentication%20using%20Windows%20NPS%20server%20as%20RADIUS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20having%20issues%20with%20users%20not%20being%20able%20to%20authenticate%20to%20the%20office%20WiFi%2C%20and%20after%20looking%20at%20the%20logs%20on%20the%20NPS%20server%20it%20shows%20that%20the%20computer%20is%20giving%20the%20NPS%20server%20a%20certificate%20other%20than%20the%20one%20belonging%20to%20the%20computer%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20a%20list%20of%20certificates%20in%20the%20personal%20certificate%20store%2C%20and%20the%20one%20certificate%20for%20the%20computer%20account%20(given%20by%20the%20on%20prem%20PKI)%20is%20at%20the%20bottom%20of%20the%20list.%20So%20it%20looks%20like%20it%20is%20just%20choosing%20the%20first%20certificate%20in%20the%20list%2C%20and%20then%20failing%20authentication%20and%20not%20giving%20the%20correct%20cert.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShouldn't%20it%20go%20down%20the%20list%20of%20certs%20and%20eventually%20giving%20the%20correct%20cert%20instead%20of%20the%20first%20one%20in%20the%20list%20and%20causing%20authentication%20to%20fail%3F%20Hope%20this%20make%20sense%20any%20insight%20is%20appreciated!%3CBR%20%2F%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3101182%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E802.1x%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Enps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPKI%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Hello I have a question on how a certificate is selected from a computers personal certificates when using 802.1x for wireless authentication using Windows NPS server as RADIUS.

 

I have been having issues with users not being able to authenticate to the office WiFi, and after looking at the logs on the NPS server it shows that the computer is giving the NPS server a certificate other than the one belonging to the computer account.

 

There is a list of certificates in the personal certificate store, and the one certificate for the computer account (given by the on prem PKI) is at the bottom of the list. So it looks like it is just choosing the first certificate in the list, and then failing authentication and not giving the correct cert.

 

Shouldn't it go down the list of certs and eventually giving the correct cert instead of the first one in the list and causing authentication to fail? Hope this make sense any insight is appreciated!
Thanks.

1 Reply
Did you choose to use "Use simple certificate selection" in the Wi-Fi profile? Or you can set it to use a specific name or CA.

https://docs.fortinet.com/document/fortiauthenticator/6.0.0/cookbook/905663/configuring-windows-10-w...