topic Re: CERTIFICATE ERROR ON WINDOWS 8.1 PC CONCERNING EAP AUTH in Network Access Control

CERTIFICATE ERROR ON WINDOWS 8.1 PC CONCERNING EAP AUTH

Equipe Telecommunications — Fri, 05 Jan 2018 21:14:56 GMT

ISE node: 2 node deployment

Version: 2.2 patch3

Certificate (Entrust): Here the certificate view on ISE system certificat item

It's a wilcard SAN certificate:

exemple

CN: exemple.domain.com

SAN:

exemple.domain.com (DNS)

*.domain.com (DNS)

*.anotherdomain.com (DNS)

The Sponsor portal, Guest POrtal, admin Portal use the certificate without any issue (SSL/TLS)

EAP auth. on Android endpoints is working ok.

Windows 8.1 PCs are not trusting the certificate.

WHY ? HELP

Another détails:

Windows PC error from client side

The error detail from the Windows log store (Eap host)

I've verified the points of the follow link:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200295-Install-a-3rd-party-CA-certificate-in-IS.html#anc1

1- Verify ISE is passing the full certificate chain during the SSL handshake process. ok

2-Open each certificate (server, intermediate and root) and verify chain of trust by matching the Subject Key Identifier (SKI) of each certificate to the Authority Key Identifier (AKI) of the next certificate in the chain. OK

3-the next step is to verify that the Root and(or) Intermediate certificates are in the client Local Trust Store. OK

Re: CERTIFICATE ERROR ON WINDOWS 8.1 PC CONCERNING EAP AUTH

hslai — Fri, 05 Jan 2018 23:42:15 GMT

Is this PEAP/MSCHAPv2? Or, is it EAP-TLS? Is the connection failure after clicking on "Continue"? Have you tried other Windows client O/S, such as Windows 7 or Windows 10?

Sorry, I can't read French much, so can't tell what the windows errors are.

Re: CERTIFICATE ERROR ON WINDOWS 8.1 PC CONCERNING EAP AUTH

ognyan.totev — Mon, 08 Jan 2018 07:25:03 GMT

It is a client machine i think this is normal . How a create a certificate profile ?

This is simple example.

Re: CERTIFICATE ERROR ON WINDOWS 8.1 PC CONCERNING EAP AUTH

Equipe Telecommunications — Mon, 08 Jan 2018 14:00:47 GMT

It's PEAP/MSCHAPv2. After clicking on continue the connexion works ok.

The message in french is the answer of the Windows 802.1x supplicant when It's not able to trust the certificate following the notification option configured on supplicant. Here below, the default option on Windows 8.1 Under (Notifications avant la connexion: Informer l'utilisateur si le nom du server.....). In brief, the supplicant has to notify the client to trust or not the connexion in case of server certificate error. This is a confirmation of my certificate issue. If I take off the server identity validation item on supplicant, the connexion takes place without error.

Re: CERTIFICATE ERROR ON WINDOWS 8.1 PC CONCERNING EAP AUTH

Equipe Telecommunications — Mon, 08 Jan 2018 14:02:43 GMT

I'm using a user authentication PEAP/MSCHAPv2 (non machine authentication).

Re: CERTIFICATE ERROR ON WINDOWS 8.1 PC CONCERNING EAP AUTH

hslai — Mon, 08 Jan 2018 18:00:34 GMT

Therefore, it is expected. If you want to validate the server identity, then please ensure the root CA certificate is in the trusted root CA store on the client, showing up as one of the authorities in the properties screen, and selected.

The screenshot from a Windows-7 client below shows "root-CA" selected, as that is the one used to issue the ISE certificates in our lab.