topic Re: Multiple Client Certificates in Network Access Control

Multiple Client Certificates

fatalXerror — Wed, 24 Jul 2019 10:18:15 GMT

Hi Guys,

I have machine and user authentication using MAR in place.

I have multiple certificates with the same CA-signed in my endpoint's certificate store (computer and user) and sometimes the endpoint uses a different certificate for the EAP authentication.

How can I configure the endpoint to use a specific certificate for EAP authentication? I am using Windows 10 and ISE 2.4.

Thanks

Re: Multiple Client Certificates

Surendra — Thu, 25 Jul 2019 02:43:26 GMT

Check this out : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj200227(v=ws.11)

For user certificates, Windows prompts the user to make a manual selection of which certificate to use. For computer certificates, the certificate with the highest weight is selected. If the selected certificate is the incorrect certificate for the connection, authentication fails. These filtering mechanisms are very rudimentary and user intervention is still required in most cases.

This is interesting but not sure if it applies for machine authentication in Windows :

Certificate weight as a filtering mechanism
When a Smart Card certificate is used for Pre-Logon-Access Provider (PLAP) scenarios, the weight of the certificate is also used for filtering. The weight of a certificate is determined by the certificate revocation list Distribution Point (CDP) and by the Authority Information Access (AIA) properties that are present in the certificate. AIA has a weight of 2 and CDP has a weight of 1. If both properties are present then Windows adds their weights together to determine the certificate weight. After this process, Windows selects and uses the certificate that has the highest weight value.

Re: Multiple Client Certificates

fatalXerror — Wed, 24 Jul 2019 11:00:10 GMT

Hi @Surendra ,

Thanks for the feedback.

I cannot open the link it says 404- Content Not Found.

Technically, Windows 10 cannot do it automatically? I mean without user intervention?

How about the Simple Certificate Selection (Advanced Setting), will it help?

Thanks

Re: Multiple Client Certificates

Surendra — Wed, 24 Jul 2019 11:30:42 GMT

I think in the URL there is ")" missing in the end when you click from this page. Anyways, SCS does not help specify a specific certificate to be used rather it simplifies the selection by showing only the relevant certificates to choose from and ordering those certificates smartly. It still involves user intervention.

Re: Multiple Client Certificates

fatalXerror — Wed, 24 Jul 2019 11:44:26 GMT

Hi @Surendra ,

Thanks for the help.

Technically, it seems to be a limitation in the endpoint side.

thanks