Windows 802.1X EAP-TLS

Overview

This component documents Windows 802.1X EAP-TLS configuration for enterprise network authentication using Vault PKI certificates.

Scope

  • Windows 10/11 workstations

  • Windows Server 2019/2022/2025

  • Certificate enrollment from Vault PKI

  • GPO-based and manual configuration

  • Troubleshooting authentication failures

Certificate Source

Certificates are issued from Vault PKI (DOMUS-ISSUING-CA), replacing the legacy Windows AD CS (HOME-ROOT-CA).

Key Differences from Linux

Aspect Linux Windows

Certificate Store

File-based (/etc/ssl/)

Windows Certificate Store (MMC)

Configuration Tool

nmcli / NetworkManager

netsh / GPO / GUI

Format

PEM

PKCS#12 (.pfx)

Supplicant

wpa_supplicant

Windows Native

Prerequisites

  • Vault PKI access (vault-01)

  • DOMUS-ROOT-CA trusted in Windows

  • Administrative access to target machine

See Also

  • Linux 802.1X EAP-TLS (ise-linux)

  • Vault PKI Cert Issuance (infra-ops)