topic Re: EAP-TLS with multiple domains? in Network Access Control

EAP-TLS with multiple domains?

VS — Sun, 09 Dec 2018 14:39:12 GMT

Hello,

I have an ISE 2.2 p9 deployment. domain1.com AD joined to ISE and working well for our users. Another domain2.com is also connected to ISE as we use 2-way trust between domain1.com and domain2.com.

domain1.com uses PEAP - this is our organization, we have the AD/CA certificates etc all configured and everything is fine.

But domain2.com is another organization, their laptops are set to use EAP-TLS. When they authenticate with our SSID we get error in ISE "12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain".

As I understand I just need to download CA certificate from http://domain2.com/certsrv and import it in ISE.

Is there any additional step? Do I need to do the CSR process as well with their MS CA server?

Will my ISE services restart?

Re: EAP-TLS with multiple domains?

Surendra — Sun, 09 Dec 2018 15:48:56 GMT

The only requirement is that your ISE server certificate needs to be trusted by the client and the client certificate needs to be trusted by ISE.

Importing the domain2 CA cert should be fine as long as all those clients are issued a certificate from domain2.com. Your client seems to trust ISE server certificate given that ISE sends the server certificate first and then client responded by with it's certificate.

ISE services will not restart if you just import a CA certificate.

Re: EAP-TLS with multiple domains?

VS — Fri, 14 Dec 2018 11:27:56 GMT

Thank you very much @Surendra, it started to work after importing the CA cert. From security perspective, am I supposed to do AD lookup too after the EAP-TLS machine/user cert check goes through?

Whats the best practice?

I am blanking at the moment, but what will happen if a user copies the certificate from their corporate laptop onto their personal laptop (assuming they have the smarts to use the same hostname as well)?

Re: EAP-TLS with multiple domains?

paul — Fri, 14 Dec 2018 13:50:31 GMT

You can do an AD check from the information contained in the certificate, usually using the SAN field in the cert. The hostname of the device doesn't matter. If a user is able to export the certificate and private key (you need the private key to use a certificate to authenticate) from their corporate device they can use it to get any other device on the network. Your certificate policies should mark the key as non-exportable. Some OS types don't respect the do not export flag or if the user has knowledge there is way to get around the do not export flag.