topic ISE Provisioning Issues - Public Certificate & EAP-TLS in Network Access Control

ISE Provisioning Issues - Public Certificate & EAP-TLS

Kamran Barlas — Mon, 11 Mar 2019 02:57:18 GMT

Anyone run into the issues similar to the below?:

Public Certificate bound for HTTPS

Internal AD Certificate Bound for EAP

Issue is SPW or Native Supplicant will be provisioned with Root CA of Public Cert then SCEP enrolls EAP-TLS with Internal CA however as client device (ipad/iphone/android) doesnt get the Internal Root CA provisioned they will fail EAP-TLS communication

Running ISE 1.1.2 patch2, 2 node-cluster

Guest Portal being used for Provisioning if AD credentials passed

Works a treat if i bind both https & eap on the Internal identity ceritficate (only issue then is Guests/BYOD devices get Certificate Warnings on the portal)

Cheers

Kam

ISE Provisioning Issues - Public Certificate & EAP-TLS

Tarik Admani — Wed, 09 Jan 2013 16:00:11 GMT

Kamran,

Can you tell me where this is failing, i am having a hard time figuring out where you are getting stuck at...

Thanks,

Tarik Admani
*Please rate helpful posts*

ISE Provisioning Issues - Public Certificate & EAP-TLS

Kamran Barlas — Wed, 09 Jan 2013 16:18:37 GMT

the process doesnt fail as such for the onboarding/provisioning on the iphone, however the when entering domain credentials to the guest portal which intiates the onboarding/provisioning process, i notice the root CA certificate is prompted to be installed on the iphone is that of the public certificate instead of the internal root CA, the rest of the user certificate and scep process properly completes however as the root CA for the internal CA wasnt installed i get warnings when connect to our dot1x eap-tls SSID.

On other devices this process fails which i can only assume is down to the lack of internal root CA cert

so as per the above im pretty much following this (differentiated access via certificates) :

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf

however my setup is slighlty different as the EAP & HTTPS indentity certificate is not the internal, i have installed a public cert for HTTPS to remove certificate warnings on guest portal (as BYOD devices and guests will only have non-domain machines thus a public cert removes the certificate warnings)

does that clarify anymore?

Cheers

Kam

ISE Provisioning Issues - Public Certificate & EAP-TLS

Tarik Admani — Wed, 09 Jan 2013 16:28:53 GMT

Kamran,

That is correct, when you authenticate to the guest portal you are using the https interface to pass your credentials not eap.

In your case this does look like a bug, since most documented use cases show a single https certificate being used for both eap and https interfaces. However If you try to onboard the devices using PEAP do you get the proper certificate installed and does the error go away (my assumption is yes).

Also you may want to open a tac case and forward your findings over to them, since you would expect when provisioning the supplicant should allow the user to install the eap certificate, or even yet set the supplicant to trust the certificate of the eap interface in the profile.

I did a search for an open bug and could not track one, I also checked the documentation and it doesnt state this as being a limitation...

Please post back your results if/when you get a response from TAC.

Thanks,

Tarik Admani
*Please rate helpful posts*

ISE Provisioning Issues - Public Certificate & EAP-TLS

Kamran Barlas — Wed, 09 Jan 2013 20:29:30 GMT

onboarding with PEAP works but again the Public Certificate Root CA is delivered to the "onboarding/provisioning" device rather than the local CA (which has EAP "enabled"), and as PEAP only needs server side Cert to work, this works (providing the "trust for TLS" is ticked on Public ROOT Cert)

ideally i would love the EAP-TLS solution as this near enough provides a zero-touch solution for the clients, but needs to work via the provisioning methods else its unmanageble for BYOD devices, if you use local CA certificate your guests will get a Cert warning,

I'm not sure how people have got both onboarding working with both public and local Certs?

BTW i have logged a TAC call, lets see what they come back with, will update this thread if i get anything

Cheers

kam

ISE Provisioning Issues - Public Certificate & EAP-TLS

Kamran Barlas — Thu, 10 Jan 2013 21:40:10 GMT

Update: Cisco TAC can also replicate this issue in their lab, they have escalated to developers to confirm bug

Meanwhile I'm using peap mschapv2 with the public certificate

ISE Provisioning Issues - Public Certificate & EAP-TLS

Kamran Barlas — Thu, 17 Jan 2013 18:14:52 GMT

Update2: Cisco have filled a new bug / feature enhancement request:

After discussions with developers, I Have filled a new bug:

CSCue08551 - ISE Native Supplicant Provisioning doesn't include CA Cert for EAP TLS

Symptom:

ISE Client Provisioning (NSP) installs only the HTTPS Certificate which cause EAP-TLS authentication to fail.

Conditions:

EAP and HTTPS Functions on ISE use a different certificate

Workaround:

Use same certificate for HTTPS and EAP.

This will be treated as an enhancement, as the HTTPs needs to be included since it’s always used to establish the connection between the Wizard and ISE for SCEP Requests. Also, different ISE Policy nodes might have a certificate signed by a different CA. The fix would be to have an option on the NSP Profile to push additional CA Certificates.

Hope this helps someone

Cheers

Kam

ISE Provisioning Issues - Public Certificate & EAP-TLS

Tarik Admani — Fri, 18 Jan 2013 07:06:01 GMT

Thanks for following up on this, please mark this thread as resolved.

Tarik Admani
*Please rate helpful posts*