topic Machine authentication using certificates in Network Access Control

Machine authentication using certificates

hardiklodhia — Mon, 11 Mar 2019 02:24:31 GMT

Hi,

I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".

Any help??

Thanks in advance.

Machine authentication using certificates

Tarik Admani — Fri, 10 Aug 2012 17:36:18 GMT

Hi,

Does ISE have a signed certificate from the same internal CA as the laptops?

Also when the binary comparison of certificates failed message appears, this usually points to an internal issue where the machine certificates arent being published to the AD user account for these computer objects. There should be a tab that will show the certificate issued to the computer account:

Here is an article that covers the steps on deploying computer certificates and having them pushed to AD -

http://technet.microsoft.com/en-us/library/cc731242%28v=ws.10%29.aspx

thanks,

Tarik Admani
*Please rate helpful posts*

Machine authentication using certificates

hardiklodhia — Sat, 11 Aug 2012 13:35:02 GMT

Hi Tarik,

Thanks for your reply.

Yes,ISE have a sigend certificate from the same internal CA in ISE certificate store. I will ask AD authority to follow the process mentioned in the link and update you.

Thank You,

Re: Machine authentication using certificates

Tarik Admani — Sun, 12 Aug 2012 10:05:36 GMT

Just out of curiosity, did you set the certificate to the eap interface? I am trying to understand why the client is unable to verify the ise's cert.

Sent from Cisco Technical Support iPad App

Re: Machine authentication using certificates

hardiklodhia — Mon, 13 Aug 2012 09:27:58 GMT

Hi Tarik,

I have two CA server certificates installed in ISE. One is Public CA and the other is internal MS CA. I want corp assets to use MS CA and BYOD to use public CA. I have enabled EAP for public CA. So when I enable "Verify server certificate" check on client machine it rejects ISE and EAP does not establish but it works for BYOD. As I can only specify one CA for EAP , I have to disable server verification. Its understood that machine is supplying local MS CA certificate while ISE sends Public CA server certificate and EAP-TLS fails. But after disabling server verification , it gives error for bianry comparison failed. Is it possible to use two different CA for two different authentication rules? other thing is public cer for ISE is assigned by intermediate CA so I have installed intermediate cert chain certificate in ISE certificate store. Do I need to also install public Root CA cert in ISE certificate store? How should the chain be installed?any sequence of uploading CA certs?

Thank You,

Machine authentication using certificates

Tarik Admani — Mon, 13 Aug 2012 16:24:59 GMT

Hi,

You can not assign to interfaces for eap mangement, however why would you use the public CA for eap authentication? Are your external users using dot1x to authenticate to the network?

Thanks,

Tarik Admani
*Please rate helpful posts*

Machine authentication using certificates

hardiklodhia — Mon, 13 Aug 2012 16:40:41 GMT

the requirement: 1:corp asset + AD user/pass=full access ,2: BYOD + AD user/pass= partial access.both using EAP and same ssid. I have configured authentication policy based on this requirement using identity source sequence which has certificate profile (which checks certificate agianst AD) and AD external database for username and pass verification. AD guys have made changes according to microsoft doc but still same error.am I missing something somewhere???

Machine authentication using certificates

Tarik Admani — Mon, 13 Aug 2012 16:53:06 GMT

See if publishing a new certificate for the endpoint then publishes the certificate in AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

Machine authentication using certificates

hardiklodhia — Mon, 13 Aug 2012 17:31:38 GMT

Tried that as well but not working.Surely looks some prob with AD config. But if the certificate profile pass then will it check username and password against AD? Thanks for your support.

Machine authentication using certificates

Tarik Admani — Mon, 13 Aug 2012 17:36:48 GMT

No,

It does a binary comparison of the certifcate that is presented from the client with the certificate that is issued to the same user in AD in order to verify that the cert is correct.

Thanks,

Tarik Admani
*Please rate helpful posts*

Machine authentication using certificates

hardiklodhia — Mon, 13 Aug 2012 17:46:04 GMT

that means machine and user authentication is not dome at the same time. ??? it will check only machine name instead of username in AD database for certificate verification.then how user authentication can be achieved after machine authentication??

Machine authentication using certificates

Tarik Admani — Mon, 13 Aug 2012 17:51:54 GMT

There are two seperate process when it comes to machine and user authentication. If you are using the default windows supplicant, the authenticate attempt for machine authentication is usually attempted, at boot up, or when you log off, or when you log on to the device.

User authentication occurs after you provide the credentials to login to the client.

The supplicant has to send the machine credential and user credential for this to work.

Tarik Admani
*Please rate helpful posts*

Re:Machine authentication using certificates

hardiklodhia — Mon, 13 Aug 2012 19:48:08 GMT

Will both work with MS XP default supplicant? any document ... Thanks again for your support.

Sent from Cisco Technical Support Android App

Re:Machine authentication using certificates

Tarik Admani — Mon, 13 Aug 2012 19:53:27 GMT

Here is the documentation for windows xp sp 3:

http://support.microsoft.com/kb/929847

Please dont forget to rate helpful posts and also mark this thread as resolved when you get a chance.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re:Machine authentication using certificates

hardiklodhia — Tue, 14 Aug 2012 14:40:07 GMT

Hi Tarik, Certificate check is working now. But as I suspected earlier, machine AND user authentication is not working. If i set XP supplicant authmode to use machine only authentication then machine gets authenticated agianst certificate profile and ISE assigns authorisation profile without checking username and password.which is not desirable. If I set XP authmode to " Always perform user authentication when user logs on" then I can see machine authenticates in ISE but after login with AD username and password , connection doesnt come up and XP pops up with" windows cant find user cert" error. How to make user and machine authentication work at the same time? one more thiing I noticed that after machine authentication, EAP is not challenging for username and password. I have enabled MAR in ISE. Am I missing something. Thanks in advance and I will surely rate your posts.

Machine authentication using certificates

Tarik Admani — Tue, 14 Aug 2012 15:19:21 GMT

Hi,

This is a limitation on the native supplicant, when you enable smart card or certificate authentication for the network connection, then it tries to use this for both machine and user authentication. It does not allow you to use certificate authentication for machine auth, and password authenticaiton for user authentication.

You can use anyconnect network access manager (which is free if you have a cisco wireless network) and not only does it allow you to set which type of authentication you want (certificate for machine and password for user) but it has a new feature out which is called eap chaining. Eap chaining is a powerful option because you can choose the order (machine first then user) when the client connects to the network. No longer do you have to stress about the machine authentication timers and wondering what is the best fit when it comes to users logging in and out of their machines in order to update the machine authentication cache in ISE. However eap chaining uses eap-fast, which is a pac-based authentication framework.

Here is the latest release note about this feature (currently in beta):

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998871

Tarik Admani
*Please rate helpful posts*

Re:Machine authentication using certificates

hardiklodhia — Wed, 15 Aug 2012 20:21:16 GMT

Hi Tarik, thanks for your support. I will try Anyconnect and hope We can achive machine and user authentication same time before ISE applies authorisation profile/rules.

Thank you.

Sent from Cisco Technical Support Android App

Re:Machine authentication using certificates

hardiklodhia — Tue, 28 Aug 2012 15:49:29 GMT

Hi Tarik,

I have tried using Cisco Anyconnect NAM on Wondows XP for machine and user authentication but EAP-chaining feature is not working as expected. I am facing few challenges. I have configured NAM to use eap-fast for machine and user authentication and ISE is configured with required authorisation rule and profiles/results. when machine boots up it sends machine certificate and gets authenticated against AD and ISE matches the authorisation rule and assigns authZ profile without waiting for user credentials. Now when a user logs on using AD user/pass, authentication fails as the VLAN assigned in AuthZ profile does not have access to AD. ISE should actually check with their external database but Its not. Interestingly, if I login with an AD user which is local to the machine its gets authenticated and gets correct AuthZ profile/access level. If I logoff and login with different user, Windows adapter gets IP address and ISE shows successful authentication /authz profile but NAM agent prompts limited connectivity. Any help??

Re:Machine authentication using certificates

Tarik Admani — Tue, 28 Aug 2012 16:17:33 GMT

Hi [answers are inline]

This is expected for machine authentication, since the client hasnt logged in machine authentication will succeed so the computer has connectivity to the domain.

Now when a user logs on using AD user/pass, authentication fails as the VLAN assigned in AuthZ profile does not have access to AD. ISE should actually check with their external database but Its not.

Do you see the authentication report in ISE? Keep in mind that you are authenticating with a client that has never logged into the workstation before. I am sure you are looking for the feature which starts the NAM process before the user logs in. Try checking this option here:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1074333

Note the section below:

–Before User Logon—Connect to the network before the user logs on. The user logon types that are supported include user account (Kerberos) authentication, loading of user GPOs, and GPO-based logon script execution.

If you choose Before User Logon, you also get to set Time to Wait Before Allowing a User to Logon:

Time to Wait Before Allowing User to Logon—Specifies the maximum (worst case) number of seconds to wait for the Network Access Manager to make a complete network connection. If a network connection cannot be established within this time, the Windows logon process continues with user log on. The default is 5 seconds.

Note If the Network Access Manager is configured to manage wireless connections, set Time to wait before allowing user to logon to 30 seconds or more because of the additional time it may take to establish a wireless connection. You must also account for the time required to obtain an IP address via DHCP. If two or more network profiles are configured, you may want to increase the value to cover two or more connection attempts.

You will have to enable this setting to allow the supplicant to connect to the network using the credentials you provide, the reason for this is you are trying to authenticate a user that has never logged into this workstation before. Please make changes to the configuration.xml file, and then select the repair option on the anyconnect client and test again.

Interestingly, if I login with an AD user which is local to the machine its gets authenticated and gets correct AuthZ profile/access level. If I logoff and login with different user, Windows adapter gets IP address and ISE shows successful authentication /authz profile but NAM agent prompts limited connectivity. Any help??

Please make the changes above and see if the error message goes away.

Thanks,

Tarik Admani
*Please rate helpful posts*

Machine authentication using certificates

hardiklodhia — Tue, 28 Aug 2012 16:59:06 GMT

Thanks for your help Tarik,

I have changed the NAM profile as you suggested but still only one user can login successfully. When I login with diffrent user it still not working. However, ISE authentication logs shows successfull with correct Authz profile. NAM still throws same error "limited connectivity".

Thanks in advance.