802.1x, Computers, Wired Security

Howdy,

I am trying to setup 802.1x using HP's IDM and W2K3 IAS. I am able to get
the user to authenticate to IAS once they have logged on to Windows. The
problem is I cannot get the computer to authenticate which is an issue
because none of the GPO's will be refreshed at boot up. I've exported my CA's
root certificate and have imported it into a GPO so that I can see it listed
under Trusted Root Certification Authorities on the client so I'm not sure
what I am missing. Does the client computer need to have a cert? Here is my
setup and the error from the IAS server is below...

DC1 - AD/DNS/DHCP/IAS Primary/IDM Agent
DC2 - AD/DNS/DHCP/IAS Secondary/IDM Agent/Enterprise Root CA

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 7/11/2008
Time: 9:13:50 AM
User: N/A
Computer: DC1
Description:
User host/stations20dcnb.domain.com was denied access.
Fully-Qualified-User-Name = DOMAIN\STATIONS20DCNB$
NAS-IP-Address = 192.168.73.2
NAS-Identifier = CORE2
Called-Station-Identifier = 00-17-08-cc-2f-00
Calling-Station-Identifier = 00-17-a4-d7-6b-45
Client-Friendly-Name = CORE2
Client-IP-Address = 192.168.73.2
NAS-Port-Type = Ethernet
NAS-Port = 93
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Extension
EAP-Type = <undetermined>
Reason-Code = 21
Reason = The request was rejected by a third-party extension DLL file.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....

Thanks !

heath
Fri Jul 11 07:40:00 PDT 2008

I'm also trying to use PEAP-MS-CHAP v2

"doubleH" wrote:

> Howdy,
>
> I am trying to setup 802.1x using HP's IDM and W2K3 IAS. I am able to get
> the user to authenticate to IAS once they have logged on to Windows. The
> problem is I cannot get the computer to authenticate which is an issue
> because none of the GPO's will be refreshed at boot up. I've exported my CA's
> root certificate and have imported it into a GPO so that I can see it listed
> under Trusted Root Certification Authorities on the client so I'm not sure
> what I am missing. Does the client computer need to have a cert? Here is my
> setup and the error from the IAS server is below...
>
> DC1 - AD/DNS/DHCP/IAS Primary/IDM Agent
> DC2 - AD/DNS/DHCP/IAS Secondary/IDM Agent/Enterprise Root CA
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date: 7/11/2008
> Time: 9:13:50 AM
> User: N/A
> Computer: DC1
> Description:
> User host/stations20dcnb.domain.com was denied access.
> Fully-Qualified-User-Name = DOMAIN\STATIONS20DCNB$
> NAS-IP-Address = 192.168.73.2
> NAS-Identifier = CORE2
> Called-Station-Identifier = 00-17-08-cc-2f-00
> Calling-Station-Identifier = 00-17-a4-d7-6b-45
> Client-Friendly-Name = CORE2
> Client-IP-Address = 192.168.73.2
> NAS-Port-Type = Ethernet
> NAS-Port = 93
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = <undetermined>
> Authentication-Type = Extension
> EAP-Type = <undetermined>
> Reason-Code = 21
> Reason = The request was rejected by a third-party extension DLL file.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 00 00 00 00 ....
>
> Thanks !

v-mileli
Mon Jul 14 04:53:24 PDT 2008


Hello,

Thank you for your post.

Please allow me to confirm that my understandings are correct. As I
understand it, the issue is:

The computer in the domain failed to authenticated to the network with the
HP IDM and Microsoft IAS. The event ID 2 with error code 21 is received on
the computer that indicates the authentication error.

If I have misunderstood your concerns please feel free to let me know.

Suggestion :
==============
According to the event log, the computer was denied access because "The
request was rejected by a third-party extension DLL file".

Event Type: Warning
Event Source: IAS
Event ID: 2
Computer: DC1
Description:
User host/stations20dcnb.domain.com was denied access.
Fully-Qualified-User-Name = DOMAIN\STATIONS20DCNB$
Reason-Code = 21
Reason = The request was rejected by a third-party extension DLL file.

I checked the HP's web site and found that IDM had a IDM Agent which
captured authentication information from the IAS server and passed the user
data to the IDM Decision manager. The IDP Access Policy Group defines the
rules that determine the user's access rights. Based on the error message,
it seems that the computer authentication is rejected by IDM.

To troubleshoot this problem efficiently, I suggest that you refer to the
user manual of IDM to ensure that it is installed and configured properly.
Meanwhile, I suggest that you contact the HP's support at the same time.
Please understand that I don't mean to bounce you between support
professionals as I am fully aware how time consuming this can be. However,
they really are in a better position to be able to assist you with this
issue as they may have experienced similar issues.

In addition, for client authentication you can manually enroll a computer
certificate to have a try.

Request a certificate
http://technet2.microsoft.com/windowsserver/en/library/edba654f-6995-4ef3-b9
0e-93c89651ed8c1033.mspx


Information Need:
==============
You can run the following command on the IAS server to enable the iassam
trace (located in %SystemRoot\tracing%).

netsh ras set tracing iassam enabled

Then reproduce the issue to capture logs. Please look into the Iassam.log
and paste the errors.

Reference:
==============
Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows
http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6b20-4cef-
9939-47c397ffd3dd&displaylang=en

Hope it helps.


Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

heath
Wed Aug 13 08:00:01 PDT 2008

Hello Miles,

Here is what I have done...


On my WinXP SP3 client I stopped using the MS XPSP3 suplicant and installed
the Open1X supplicant. I made sure everything is working properly and it is.
The thing with the Open1X suplicant is that I can hardcode user credentials
it is so that the computer is already authenticated (and put in the proper
VLAN) before the user is presented with the logon prompt. This works well
because computer scripts and user scripts run. I don't like the hardcoding of
usernames/passwords, but this is a good test to show that IDM and my switch
appear to be working correctly and that I now need to focus my efforts on the
Microsoft side of the house.

I then uninstall the Open1X suplicant and am back to the issue of the
computer not being in the correct VLAN before the user is at the logon
prompt. Once the user enters in the username/password they are put in the
correct VLAN, but at this point it's too late and the user logon scripts
don't run.

How can I use the MS supplicant and have the computer in the proper VLAN
prior to user logon?

Thanks!


"Miles Li [MSFT]" wrote:

> Hello,
>
> I am currently standing by for further update from you and would like to
> know how things are going. If you have any questions or concerns on the
> recent information I've provided you, please don't hesitate to let me know.
>
> Best regards,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

v-mileli
Thu Aug 14 05:37:36 PDT 2008



Hello,

From the description, you can authenticate the computer to the network
successfully with the Open1X supplicant by hardcode the user credentials.
However, you still failed to enter the network with the the Windows XP SP3
supplicant.

In Windows XP SP3, wired 802.1x service have separated from the wireless
service and created a new Dot3Svc (Wired AutoConfig service). By default
this service is set as a manual start as opposed to being automatic. In
the 802.1x deployed wired network, the client will not connect to the
network because of the absence of the service. So please make sure that
Wired AutoConfig service is set to Automatic before you restart the server.

Information needed:
=================
To the further investigation of the issue, you can capture the network
traffic when the clients attempt to authenticate with IAS server and send
it to me at <tfwst@microsoft.com>.

You can get the NetMon3.1 from the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-
8d17-2f6dde7d7aac&DisplayLang=en


For your reference:

Changes to the 802.1X-based wired network connection settings in Windows XP
Service Pack 3
http://support.microsoft.com/kb/949984

You cannot connect to an 802.1X wired network after you upgrade to Windows
XP Service Pack 3
http://support.microsoft.com/kb/953650

A Windows XP-based wired client computer will not obtain a valid IP address
from a guest VLAN or from an "Authentication failed-VLAN"
http://support.microsoft.com/kb/931856


Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

heath
Thu Aug 14 06:51:00 PDT 2008

I think part of the problem is that I was trying to use PEAP with MSCHAPv2.
From what I've read this won't work for computer auth. From what I understand
I should be using EAP-TLS for computer and user auth. Is this correct?

I have changed my IAS policy to use EAP-TLS and have also configured the
client to use EAP-TLS. The good thing is that I can auth with a user cert
using EAP-TLS no problem, but the computer auth is still failing. Yes the the
service is started and set to automatic. I have a computer cert and here is
the error message on the IAS server...

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 8/14/2008
Time: 9:37:53 AM
User: N/A
Computer: IAS
Description:
User host/laptoptest.domain.com was denied access.
Fully-Qualified-User-Name = DOMAIN\LAPTOPTEST$
NAS-IP-Address = 192.168.73.2
NAS-Identifier = CORE2
Called-Station-Identifier = 00-17-08-cc-2f-00
Calling-Station-Identifier = 00-17-a4-d7-6b-45
Client-Friendly-Name = CORE2
Client-IP-Address = 192.168.73.2
NAS-Port-Type = Ethernet
NAS-Port = 93
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Extension
EAP-Type = <undetermined>
Reason-Code = 21
Reason = The request was rejected by a third-party extension DLL file.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....


Here is the error on the client....

Event Type: Information
Event Source: Dot3Svc
Event Category: None
Event ID: 15514
Date: 8/14/2008
Time: 9:37:53 AM
User: N/A
Computer: LAPTOPTEST
Description:
Wired 802.1X Authentication failed.

Network Adapter: Broadcom NetXtreme Gigabit Ethernet - Packet Scheduler
Miniport
Interface GUID: {66cf62ec-9e70-44a2-b29a-fbe95796c647}
Peer Address: 001708CC2F00
Local Address: 0017A4D76B45
Connection ID: 0x00000004
Identity: host/laptoptest.domain.com
User: -
Domain: -
Reason: 327685
Reason Text: The authentication failed because there is a problem with the
user account

Error Code: 1078067472


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.




"Miles Li [MSFT]" wrote:

>
>
> Hello,
>
> From the description, you can authenticate the computer to the network
> successfully with the Open1X supplicant by hardcode the user credentials.
> However, you still failed to enter the network with the the Windows XP SP3
> supplicant.
>
> In Windows XP SP3, wired 802.1x service have separated from the wireless
> service and created a new Dot3Svc (Wired AutoConfig service). By default
> this service is set as a manual start as opposed to being automatic. In
> the 802.1x deployed wired network, the client will not connect to the
> network because of the absence of the service. So please make sure that
> Wired AutoConfig service is set to Automatic before you restart the server.
>
> Information needed:
> =================
> To the further investigation of the issue, you can capture the network
> traffic when the clients attempt to authenticate with IAS server and send
> it to me at <tfwst@microsoft.com>.
>
> You can get the NetMon3.1 from the following link:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-
> 8d17-2f6dde7d7aac&DisplayLang=en
>
>
> For your reference:
>
> Changes to the 802.1X-based wired network connection settings in Windows XP
> Service Pack 3
> http://support.microsoft.com/kb/949984
>
> You cannot connect to an 802.1X wired network after you upgrade to Windows
> XP Service Pack 3
> http://support.microsoft.com/kb/953650
>
> A Windows XP-based wired client computer will not obtain a valid IP address
> from a guest VLAN or from an "Authentication failed-VLAN"
> http://support.microsoft.com/kb/931856
>
>
> Hope it helps. If you have any questions or concerns, please do not
> hesitate to let me know.
>
>
> Best regards,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

v-mileli
Fri Aug 15 04:43:55 PDT 2008


Hello,

Yes, you cannot use PEAP-MS-CHAPv2 for computer authentication because user
credentials (user name and password) are required for authentication when
using PEAP-MS-CHAPv2. You can use PEAP-TLS or EAP-TLS for computer
authentication.

To use PEAP-TLS or EAP-TLS for computer authentication, you need to issue a
computer certificate from CA on the client for connections that use Secure
Sockets Layer (SSL) encryption and Transport Level Security (TLS)
encryption. Please refer to the following Microsoft Knowledge Base article
to ensure that client and server certificate requirements for EAP-TLS have
been met.

814394 Certificate requirements when you use EAP-TLS or PEAP with
EAP-TLS
http://support.microsoft.com/kb/814394

On the Windows XP SP3, by default the authentication mode is set to 1 for
wired 802.1X network. In this scenario, if computer authentication is
successful, a subsequent user logon results in a re-authentication with
user credentials. The user credentials are used for subsequent
authentication or re-authentication. You may configure the authentication
mode to Machine Only to enable computer-only authentication to see whether
it works.

949984 Changes to the 802.1X-based wired network connection
settings in Windows XP Service Pack 3
http://support.microsoft.com/kb/949984/

929847 How to enable computer-only authentication for a
802.1X-based network in Windows Vista
http://support.microsoft.com/kb/929847/

Hope it helps. If there's anything else about this issue I can do for you,
please do not hesitate to let me know.



Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

heath
Fri Aug 15 06:19:01 PDT 2008

My client is XPSP3 so where can I find the XML files to enable computer auth?

Thanks

"Miles Li [MSFT]" wrote:

>
> Hello,
>
> Yes, you cannot use PEAP-MS-CHAPv2 for computer authentication because user
> credentials (user name and password) are required for authentication when
> using PEAP-MS-CHAPv2. You can use PEAP-TLS or EAP-TLS for computer
> authentication.
>
> To use PEAP-TLS or EAP-TLS for computer authentication, you need to issue a
> computer certificate from CA on the client for connections that use Secure
> Sockets Layer (SSL) encryption and Transport Level Security (TLS)
> encryption. Please refer to the following Microsoft Knowledge Base article
> to ensure that client and server certificate requirements for EAP-TLS have
> been met.
>
> 814394 Certificate requirements when you use EAP-TLS or PEAP with
> EAP-TLS
> http://support.microsoft.com/kb/814394
>
> On the Windows XP SP3, by default the authentication mode is set to 1 for
> wired 802.1X network. In this scenario, if computer authentication is
> successful, a subsequent user logon results in a re-authentication with
> user credentials. The user credentials are used for subsequent
> authentication or re-authentication. You may configure the authentication
> mode to Machine Only to enable computer-only authentication to see whether
> it works.
>
> 949984 Changes to the 802.1X-based wired network connection
> settings in Windows XP Service Pack 3
> http://support.microsoft.com/kb/949984/
>
> 929847 How to enable computer-only authentication for a
> 802.1X-based network in Windows Vista
> http://support.microsoft.com/kb/929847/
>
> Hope it helps. If there's anything else about this issue I can do for you,
> please do not hesitate to let me know.
>
>
>
> Best regards,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

v-mileli
Mon Aug 18 03:42:52 PDT 2008



Hello,

You can configure the 802.1x wired network settings on the Windows XP SP3
just like on the Windows Vista that is described in the following Microsoft
KB article.

929847 How to enable computer-only authentication for a
802.1X-based network in Windows Vista
http://support.microsoft.com/kb/929847/


1. Export the network profile information to an XML file.

a) In the command prompt, type:
netsh lan export profile folder=c:\

b) A XML file named <connection_name>.xml is created in the specified
llocation. Add <authMode>machine</authMode> node in the location shown
below and save it.

<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">

<authMode>machine</authMode>

<EAPConfig>...</EAPConfig>


2. Add the network profile that you modified. To do this, type one of the
following lines at the command prompt:

netsh lan add profile filename="c:\xxx.xml" interface="connection_name"

I hope these steps will give you some help. If you have any questions or
concerns, please do not hesitate to let me know.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

heath
Mon Aug 18 07:20:01 PDT 2008

thanks. I've enabled computer auth and still getting the same error messages
on the client as posted on 8/14.

i don't know where to go from here. user auth is working, but computer auth
is not.




"Miles Li [MSFT]" wrote:

>
>
> Hello,
>
> You can configure the 802.1x wired network settings on the Windows XP SP3
> just like on the Windows Vista that is described in the following Microsoft
> KB article.
>
> 929847 How to enable computer-only authentication for a
> 802.1X-based network in Windows Vista
> http://support.microsoft.com/kb/929847/
>
>
> 1. Export the network profile information to an XML file.
>
> a) In the command prompt, type:
> netsh lan export profile folder=c:\
>
> b) A XML file named <connection_name>.xml is created in the specified
> llocation. Add <authMode>machine</authMode> node in the location shown
> below and save it.
>
> <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
>
> <authMode>machine</authMode>
>
> <EAPConfig>...</EAPConfig>
>
>
> 2. Add the network profile that you modified. To do this, type one of the
> following lines at the command prompt:
>
> netsh lan add profile filename="c:\xxx.xml" interface="connection_name"
>
> I hope these steps will give you some help. If you have any questions or
> concerns, please do not hesitate to let me know.
>
>
> Best regards,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

v-mileli
Tue Aug 19 03:55:19 PDT 2008


Hello,

As the User authentication using PEAP/MSCHAPv2 is working, the 802.1X wired
service on the Windows XP SP3 should functions properly. However, because
the TLS with certificates needs the certificate that enrolled from the CA.
Please verify the certificates on the client machine that connect to 802.1x
wired network as I mentioned in my previous post.

814394 Certificate requirements when you use EAP-TLS or
PEAP with EAP-TLS
http://support.microsoft.com/kb/814394

Client side:

1. Is there a computer certificate that enrolled from the domain CA?

2. Does computer certificate on the client chain to a trusted root? Can you
verify the certificate path successfully?
- You can select the trusted root certification authorities in the
Network Connection--->properties--->authentication tab--->PEAP settings
(PEAP properties).

3. Do you select the Smart card or other certificate (you used to use
MSCHAPv2) as the Authentication method for PEAP?

4. Does the computer certificate have the Client Authentication purpose?

Server side:

1. Does the option "validate server certificate" is chosen on the client?
If yes, please verify the IAS
Server's computer certificate for Server Authentication purpose and its
certificate path .

Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

heath
Tue Aug 19 10:31:02 PDT 2008

Just to be clear....PEAP-MSCHAPvs and EAP-TLS both work for user auth. I want
to get EAP-TLS to work with computer auth. See my answers below....



"Miles Li [MSFT]" wrote:

>
> Hello,
>
> As the User authentication using PEAP/MSCHAPv2 is working, the 802.1X wired
> service on the Windows XP SP3 should functions properly. However, because
> the TLS with certificates needs the certificate that enrolled from the CA.
> Please verify the certificates on the client machine that connect to 802.1x
> wired network as I mentioned in my previous post.
>
> 814394 Certificate requirements when you use EAP-TLS or
> PEAP with EAP-TLS
> http://support.microsoft.com/kb/814394
>
> Client side:
>
> 1. Is there a computer certificate that enrolled from the domain CA?
>

YES


> 2. Does computer certificate on the client chain to a trusted root? Can you
> verify the certificate path successfully?
> - You can select the trusted root certification authorities in the
> Network Connection--->properties--->authentication tab--->PEAP settings
> (PEAP properties).
>

I'M NOT USING PEAP


> 3. Do you select the Smart card or other certificate (you used to use
> MSCHAPv2) as the Authentication method for PEAP?

YES I SELECT SMART CARD OR OTHER CERTIFICATE FOR EAP-TLS

>
> 4. Does the computer certificate have the Client Authentication purpose?
>


YES


> Server side:
>
> 1. Does the option "validate server certificate" is chosen on the client?
> If yes, please verify the IAS
> Server's computer certificate for Server Authentication purpose and its
> certificate path .

YES

>
> Hope it helps. If you have any questions or concerns, please do not
> hesitate to let me know.
>
>
> Best regards,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

v-mileli
Wed Aug 20 03:40:48 PDT 2008


Hello,

Sorry about the confusion.

For EAP-TLS, you can also refer to the Microsoft knowledge base article
814394 to verify the usability of computer certificate.

As error code 21 (The request was rejected by a third-party extension DLL
file) is logged on the IAS server, it means that a third party extension
has been installed on the server and the authentication has been taken over
by this third party extension. According to your initial problem
description, you have installed IDM agent on the server. Based on the
following whitepaper of HP, the IDM agent extends IAS authentication and do
some customized check. Unfortunately, as HP IDM is a third party product
which I am not familiar with, I'd like to suggest you to contact HP IDM
support to see whether computer authentication via EAP-TLS is supported and
how to configure it. Thank you for your understanding.

ProCurve Identity Driven Manager (IDM) 2.3
http://www.hp.com/rnd/products/management/idm/overview.htm

Please understand that I don't intend to bounce you between different
support services as I am fully aware how time consuming this can be. In
scenarios in which we have narrowed down possible causes to troubleshooting
in behalf of HP, they are in a better position to be able to assist you
with this.

If you have any questions or concerns, please do not hesitate to let me
know.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.