I have a Wired 802.1x deployment using TLS machine authentication on Windows 7 (built-in 802.1x supplicant) with the necessary certs (FreeRadius v2.2.3 generated on Linux). Cisco C2960 POE switch is being used.
On Windows 7:
The Root CA exists in the Local Computer -> Trusted Root Certification store
The Client cert exists in the Local Computer -> Personal store.
Both certs are valid and 802.1x works perfectly fine.
However, when there is another valid cert in in the Local Computer -> Personal store with a name starting with a higher letter than the Radius client cert (D higher than L in the alphabet), then that cert (with the higher letter) will get sent to the Radius server and will not authenticate properly.
Some of these other valid certs are needed so I’m not sure if there is a fix for this or if this is happening by design (or if Windows 7 is just using the cert at the "top of the list" in the cert store). I've tried the Microsoft hotfix KB2769121 (802.1X authentication fails on a Windows 7-based or Windows 2008 R2-based computer that has multiple certificates) but it did not work. Is anyone else having this problem? Any help would be greatly appreciated.
Best Answer
You'll want to check out the options for certificate selection, don't use the simple certificate selection. You should be able to define what qualifies as a cert to be used for 802.1x