topic ISE and EAP-TLS in Network Access Control

ISE and EAP-TLS

M. Wisely — Mon, 11 Mar 2019 02:22:14 GMT

We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (1.1.1.24) I'm getting an error.

22045 Identity policy result is configured for password based authentication methods but received certificate based authentication request

I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.

EAP-TLS is enabled in the 'Default Network Access' authentication result.

Can anyone shine a light on where I'm going wrong?

Thanks

Martin

ISE and EAP-TLS

jrabinow — Wed, 01 Aug 2012 10:48:35 GMT

You need to define a certificate authentication profile and then select this as the result (Identity Source) in the authentication policy

You can create a certicate authentication profile at: Administration->Identity management->External Identity Sources->Certificate Authentication Profile

There error you are seeing occurs when trying to "authenticate" the request based on a clinet certifcate but result is an identity store (AD, LDAP etc)

Re: ISE and EAP-TLS

Tarik Admani — Wed, 01 Aug 2012 10:49:32 GMT

Martin,

If you go the authentication policy page and expand your rules you can choose the result to be certificate authentication profile that you created.

If you have a mixture of peap or other password based methods, your best option is to create an identity sequence store. This allows you to use a certificate authentication profile along with a list of databases for password based authentication also. One you create this rule, go back to authentication policies and set this as the result and you should be good to go.

Thanks,

Tarik

Sent from Cisco Technical Support iPad App

ISE and EAP-TLS

M. Wisely — Mon, 06 Aug 2012 15:32:49 GMT

Thanks for your help so far Tarik and jrabinow I'm no longer getting that message, instead I'm getting the following message when I try to connect:

12519 EAP-TLS failed SSL/TLS handshake because of an unsupported certificate in the client certificate chain

We're using MS certificate services, the ipad has the root CA certificate and the active ca services server certificate as well as the user certificate. The ISE has a certificate generated on the active cert services server and also has the root CA certificate in it's certificate store.

All the certificates seem to be valid back to the root CA certificate.

Any ideas?

Thanks

Martin

ISE and EAP-TLS

Tarik Admani — Mon, 06 Aug 2012 15:47:00 GMT

Martin,

Do you have any intermediate certificates? If so, then you will have to import those in to the ISE certificate trusted certificate store, and you will have to select the checkbox "Trust for client with eap-tls"

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html#wp1053515

Thanks,

Tarik Admani
*Please rate helpful posts*

ISE and EAP-TLS

M. Wisely — Tue, 07 Aug 2012 07:37:47 GMT

We've got 1.1 so the options are a bit different but I've installed the root certificate and the ca server certificate on ISE in the certificate store and 'Trust for client authentication' is enabled.

There is a sub-option 'Enable Validation of Certificate Extensions (accept only valid certificate)' that I enabled when I installed the certificate but when I look at it now it's greyed out.

In addition the primary and secondary ISE certificates also has the trust option enabled.

Thanks

Martin

ISE and EAP-TLS

Tarik Admani — Tue, 07 Aug 2012 07:41:10 GMT

Can you post a screeshot of the certificate that is installed on the Ipad? Also post a screenshot of the certificate on ISE. I would like to see the serial numbers of the root to see if they are identical.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: ISE and EAP-TLS

M. Wisely — Tue, 07 Aug 2012 09:02:14 GMT

Screenshots attached

Thanks

Martin

ISE and EAP-TLS

Tarik Admani — Tue, 07 Aug 2012 10:39:02 GMT

Thanks Martin,

Can you get me the screenshot of the root certificate that is installed on the ipad, along with another screenshot of the user certificate (I will like to see the "issued to" and "issued by" attributes)

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: ISE and EAP-TLS

M. Wisely — Tue, 07 Aug 2012 12:40:16 GMT

Tarik

The root certificate on the iPad is the same as the root certificate on the ISE, see the attached images.

Thanks

Martin

ISE and EAP-TLS

Tarik Admani — Tue, 07 Aug 2012 17:03:11 GMT

Martin,

There seems to be an intermediate certificate or you have the wrong root certificate imported into the ISE. Can you click on the certificate path (top right tab). Take a look at the "issued by" field in the usercert.png and then look at the name of the root certs that you attached. The signer of your user cert is NHSG-CS-01, the root cert on the ISE node is NHSG-CS-ROOT.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: ISE and EAP-TLS

M. Wisely — Wed, 08 Aug 2012 08:05:06 GMT

Tarik

NHSG-CS-01 is the active CS server that issued the certificate, NHSG-CS-ROOT is off at the recommendation of a microsoft employee when she helped our server team setup CS an so can't issue certificates.

The NHSG-CS-01 certificate is on both the iPad and ISE and on the ISE it's enabled for authentication.

Thanks

Re: ISE and EAP-TLS

M. Wisely — Wed, 08 Aug 2012 12:44:45 GMT

Tarik

So I removed NHSG-CS-ROOT from both the iPad profile and the ISE certificate store leaving the ipad with only the personal certificate and the NHSG-CS-01 certificate.

The ISE certificate store now has with both primary and secondary ISE certificates and the NHSG-CS-01 certificate.

For the two ISE certificates I've unchecked the 'Trust for client authentication' check boxes so the only certificate in the certificate store that has that check box checked is NHSG-CS-01.

Authentication is still failing with the same message about the unsupported certificate.

Interestingly each time I appy the policy to the ipad and try to connect wirelessly it prompts to accept the primary ISE certificate that was issued by NHSG-CS-01, that shouldn't be happening should it?

Thanks

Martin

ISE and EAP-TLS

Tarik Admani — Wed, 08 Aug 2012 14:43:57 GMT

Martin,

Please post the certificate path using windows so I can see the whole path of the user cert and the full details of it also (I need to see the key usage and enhanced key usage). Also I need to see the full details of the NHSG-CS-01 (path and key usage and enhanced key usage). It may be that you are using a signing certificate to issue this cert and that might not be supported since we need server authentication OID to present in order to use certificate based authentication.

http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_vmware.html#wp1053064

take a look at figure 4-3 for this setting on the vmswitch.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: ISE and EAP-TLS

M. Wisely — Thu, 09 Aug 2012 08:27:15 GMT

Tarik

I've attached the path detail, etc.

There was no extended key usage in the NHSG-CS-01 certificate, key usage was Digital Signature, Certificate Signing, Off-line CRL Signing and CRL Signing (86).

In the personal certificate the key usage was Digital Signature, Key Encipherment (a0) and the enhanced key usage was Server Authentication.

Thanks

Martin

ISE and EAP-TLS

Tarik Admani — Thu, 09 Aug 2012 13:18:24 GMT

Martin,

Then that makes sense, since the ISE uses certificate based authentication when using eap-tls the certificate doesnt have the OIDs to support certificate based authentication. Here is a guide that shows the requirements needed in order to authenticate clients via certificates:

http://support.microsoft.com/kb/814394

Here is the comment in the article in this case the IAS is the radius server and the same holds true for ISE:

The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.

Here is the Cisco eap-tls deployment guide which references the same as above:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39121

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: ISE and EAP-TLS

M. Wisely — Thu, 09 Aug 2012 13:56:54 GMT

Tarik,

Thanks for your help, that makes sense even to me now that you've pointed it out. I know very little about certificates.

I've asked one of my colleagues in our server team to add the usage to the template and once he does I'll test and update this discussion.

Thanks

Martin

Re: ISE and EAP-TLS

M. Wisely — Fri, 10 Aug 2012 15:06:48 GMT

Tarik,

Annoyingly we've now got a client certificate with client authentication and server authentication as the enhanced key usage but we're now hitting a different error message, 22047 "Principal username attribute is missing in client certificate".

So the client certificate has the extended attributes of Server Authentication and Client Authentication.

Thanks

Martin

ISE and EAP-TLS

Tarik Admani — Fri, 10 Aug 2012 16:48:13 GMT

Martin,

Can you please post a screenshot of you user cert. If there isnt a prinicpal username then we need to see if the subject alternative name contains the correct format of the username.

Thanks,

Tarik Admani
*Please rate helpful posts*

ISE and EAP-TLS

M. Wisely — Mon, 13 Aug 2012 08:01:26 GMT

Tarik

You're right, there is no subject alternative name (or principal name) on my user certificate so I had a look at a certificate I generated from the User template and it does have a subject alternative name which contains:

Other Name:

Principal Name=@

RFC822 Name=

I presume thats what should be in the personal certificate I generate for the iPad?

Thanks

Martin