topic Re: BYOD and how Windows chooses certificate in Network Access Control

BYOD and how Windows chooses certificate

Philip Vilhelmsson — Tue, 19 May 2020 08:37:35 GMT

Hi,

I am trying dual SSID BYOD for eduroam and I have run in to some issues. We have one usecase that our internal laptops should be able to use this SSID. However the computers already have a user certificate on them (for Exchange) that has the same CN (firstname.lastname@email.com) as the certificate that ISE provides.

I have noticed that Windows choosed the wrong certificate for the EAP-TLS authentication.

Is there a way to choose in the settings that the ISE push to the client what certificate should be used?

Or can we modify the CN in the cert that ISE pushes to the client?

Regards

Philip

Re: BYOD and how Windows chooses certificate

Mohammed al Baqari — Tue, 19 May 2020 10:26:05 GMT

Hi,

What you can do is to use NAM editor (if you use anyconnect NAM) and in the
profile you can define the certificate to be used.

Otherwise, you need to configure BYOD portal in order to register the
devices. Part of the Registration is to provide the devices with a
certificate from ISE (if you use ISE internal CA). In the same BYOD portal
you can configure the supplication profile to use this certificate. This
certificate will be used for next authentication with ISE.

See this

https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId--1166792909

**** please remember to rate useful posts

Re: BYOD and how Windows chooses certificate

Philip Vilhelmsson — Wed, 20 May 2020 13:12:36 GMT

Hi,

I have configured BYOD portal according to the guide and the client gets certificate from the internal ISE CA. But after the onboarding process the client can't connect to the SSID.

The ISE log say "12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain".

In the client certificate store I see two certificates. Both with the same CN, both are for "Client authentication". One is issued from ISE, the other from Skype. If I remove the certificate from Skype then the 802.1x authentication works. But the Skype cert is automatcaly installed on the client everytime we start Skype, and as soon as it is back the authentication will stops working (next time the client tries to connect to the SSID.

I have checked the settings in the profile that gets downloaded to the client, but I can not see anywhere that I can force what certificate to be used.

Re: BYOD and how Windows chooses certificate

Greg Gibbs — Thu, 21 May 2020 01:23:10 GMT

When you have more than one user certificate in the client's store that both have the required attributes for 802.1x authentication, I believe Windows favours the oldest certificate to present for 802.1x when 'simple certificate selection' is enabled. Windows 10 added the ability to use certificate matching conditions to define which certificate will be presented for 802.1x, but the ISE Native Supplicant Provisioning does not have the ability to control this.

You would either need to educate your BYOD users on how to configure the certificate matching, or have Windows prompt them for the certificate to use for 802.1x.

For the latter, you could try disabling the 'Do not prompt user to authorize new servers..' option in your NSP profile in ISE to see if the user is then prompted for the certificate to use.