topic Public cert issue with Windows. in Network Access Control

Public cert issue with Windows.

Dustin Anderson — Mon, 16 Aug 2021 16:28:45 GMT

So, with the push with Android to require public certs, we are testing using a public cert for ISE, but as EAP is an all or nothing, we are seeing an issue with our wired devices.

We are testing setting 802.1x to trust Comodo CA for certs, but see mixed results.

info on out setup,

1: All ports start with an ACL on the switch called unauth that blocks most except AD controllers until authenticated.

2: PCs are in a user or computer auth so ISE can see if the PC is domain joined.

With Comodo checked on the PC, we can see the PC itself auth, but when a user logs in, it gets stuck, or fails auth. From a pcap, I can see the PC trying to go out to ocsp.comodoca.com, but the unauth ACL blocks this. The weird thing is if you let it sit for a min or so before logging in, it will usually work.

So, my question is I can't be the only one to use/try public certs. How do you fix the issue? Tell the PCs to not validate? Give them internet access to validate?

One thing I see is OCSP Stapling, but it looks like this is not supported in ISE.

Re: Public cert issue with Windows.

hslai — Wed, 18 Aug 2021 06:04:17 GMT

If you are able to give access to the OCSP URL, please try that. Also, please give this feedback to Microsoft.

On OCSP stapling, it seems still early days, per CRL or OSCP checking from the client during dot1x :

...

OCSP stapling can be used to supply the OCSP status as part of the server certificate response. This is part of EAP-TLS with TLS 1.3.

...

Re: Public cert issue with Windows.

Dustin Anderson — Wed, 18 Aug 2021 19:33:03 GMT

Thanks, I was afraid of that, but may be the only option. As an ACL can not do FQDN, I may have to give them port 80 access and use the firewall to do the FQDN access.

All this cause android is starting to force cert validation.