topic Hi Syed in Network Access Control

Cisco ISE1.4 802.1x EAP-TLS authentication with Windows 7, 10, Apple MAC OS

Syed Yasir Imam — Mon, 11 Mar 2019 07:42:00 GMT

Dear folks,

I need help for the list of useful hotfixes useful for EAP-TLS authentication using native supplicant

- Windows 10

- Apple MAC

If something like hotfix exists for Apple MAC OS!

I have found hotfixes required for Windows 7 @below.

https://supportforums.cisco.com/discussion/11916581/cisco-ise-8021x-eap-tls-list-applicable-hot-fixes

If this list requires update, please help!

Hi Syed

Mohamed Abd Elnaser Mohamed Mohamed Ali — Sun, 07 May 2017 20:55:38 GMT

Hi Syed

Can you elaborate if you have a problem Authenticating these Windows 10 machines to 802.1X network, I have customers deployed Windows 10 with Cisco ISE 1.4 using EAP-TLS as an inner method inside EAP-FAST as an outer method with EAP-Chaining enabled and it works fine with no problem taken into an account that the customer have a robust PKI infrastructure.

Currently i am not facing any

Syed Yasir Imam — Wed, 10 May 2017 20:40:39 GMT

Currently i am not facing any problem.....but experiencing with Windows 7.... installing patches and hotfixes resolves many issues...

Not yet experienced Apple MAC....not sure if something like that is good to install there as well!

Hi Syed

Mohamed Abd Elnaser Mohamed Mohamed Ali — Fri, 12 May 2017 08:38:27 GMT

Hi Syed

From my experience I would advice about two potential issues:

1- Machine Authentication failure for Windows 10:

The Local Security Authority (LSA) in Windows 10 provides clients like Cisco Network Access Manager with the Machine password encrypted which is an increased default security settings in Windows 8 or 10 / Server 2012. however this does fail Cisco Network Access Manager to use the machine Credential for Authentication and the entire machine authentication would fail.
This doesn't happen only if you are using machine credential for Authentication (like via PEAP(MSCHAPv2), EAP-FAST (MSCHAPv2)) but this would not happen if Machine authentication using Machine certificate (EAP-TLS or EAP-FAST (EAP-TLS))

The registry fix described in Microsoft KB 2743127 should be is applied to the client desktop. This fix includes adding a DWORD value LsaAllowReturningUnencryptedSecrets to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key and setting this value to 1. This change permits Local Security Authority (LSA) to provide clients like Cisco Network Access Manager with the Machine password

here is also the Cisco Bug ID for this

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuw01496/?referring_site=bugquickviewclic

2- Take care if your are upgrading Windows 7 to Windows 10 (and not fresh installation) and you are using the Machine authentication via Machine Certificates (EAP-TLS) that sometimes the default imaging used by SCCM vendors to take a snapshot of a reference Machine and then apply the upgrade the machine certificates after the upgrade won't be valid for authentication.

This mostly happen due to missing or corrupted private keys that failed to be migrated as part of the Windows upgrade.

The solution is to delete the machine certificates (manually or via Script) before the Windows upgrade process starts and then once it joins the AD after the upgrade the certificates would be pushed successfully from the CA with Valid certificate keys (private + Public)

Dear,

Syed Yasir Imam — Mon, 12 Jun 2017 14:47:29 GMT

Dear,

Thanks for the response.

1- Seems like issue is when NAM is used. I am using Native...so doesnt bother me.

2- I will take care of upgrade, though not the issue yet.