From my point of view it sounds very strange to have a captive portal involved with any certificate based 802.1x.
In the GPO, configure the clients to do EPA-TLS with both machine and user authentication. This is done under the Additional settings button if EAP-TLS is selected as authentication method.
Another option is to migrate to use EAP-TEAP instead, but this is a bigger work as also ClearPass must be reconfigured to support TEAP.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Nov 24, 2025 05:17 AM
From: alexs-nd
Subject: Windows doesnt use machine auth when user not logged in
Hi,
Got an annoying issue with windows 10/11 using cert based machine auth.
These ar doman joined clients configued via GPO push which installs a client cert that is used for wired/wifi connectivity. It all works just fine and cppm set up to say
If Windows 10/11 and machine auth using issued cert then pass friend
else
drop device into captive portal.
THis all works just fine. However its a pain. that an idle machine or one at a login prompt doesnt do cert based auth as you can see a client machi. flipping between cert auth and bein droped into the captive portal.
I'm not involved in the windows setup, but is there anyting that can be set ( in win 11 now) that ensures cert based machine auth is always used irrespective of whether the system is at idle or with user logged in?
Rgds
Alex
-------------------------------------------