No, there's really no way to do this with your configuration. Mixing GPO/MDM + a supplicant utility like SecureW2 is not recommended. It becomes a giant unpredictable tug of war. ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Heavrin, Lynn <lheav...@wustl.edu> Sent: Friday, May 14, 2021 10:07 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Forcing Client Cert Selection in Windows for EAP-TLS
Has anyone used EAP-TLS where a Windows device has multiple client certs loaded in the personal store? Is there a way to force it via GPO to choose one cert over the other to use for authentication? The user certs from ADCS don’t always contain a private key in the personal store except on the first device a user logs into, so we moved to SecureW2 to guarantee it would work. In Cisco ISE I trust both ADCS and SecureW2 CAs. What is happening and what I’m trying to achieve is: 1. if a computer happens to have an ADCS User cert private key, it uses that one first and I want to try to force it to use the SecureW2 cert via GPO or some setting 2. For machine auth, I want it to always use the ADCS cert since there’s no private key issue. There is no SecureW2 machine cert. Due to this I don’t think I can just say “only use certs from this Issuer CA” because I need both, unless I can do that for user and machine separately. Thanks, Lynn Heavrin Network Engineer III | Network Engineering Washington University in St. Louis ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C3f4b6770c5c24ccf685f08d916e1ab54%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637565980790979887%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=to6gnTKcWjSUh6fgId5a%2B8UjoAY3GU63OEyAH%2FfdeWA%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
