topic Re: Behavor differtent user Ise certificates in Network Access Control

Behavor differtent user Ise certificates

athan1234 — Mon, 13 Mar 2023 11:42:46 GMT

Hello

Someone please explain the issue with Eap-Tls.

Re: Behavor differtent user Ise certificates

Milos_Jovanovic — Fri, 25 Nov 2022 19:50:19 GMT

How did you configure workstation? Have you hardcoded that it should use certificate or username/password? Have you hardcoded it to use user or machine identity?

Your last screenshot, ISE Authorization policy is not visible, so I don't see the condition you setup. Based on your successfull tests, and given both PEAP and EAP-TLS are successfull and a fact that same authorization rule is being hit, I would assume that authorization policy does not restrict one or another.

Also, in the authentication policy, Continue condition is normally used for MAB, not for 802.1x scenario.

Kind regards,

Milos

Re: Behavor differtent user Ise certificates

athan1234 — Sun, 27 Nov 2022 21:56:35 GMT

Hello @Milos_Jovanovic , I appreciate your response.

I didn't put up the workstation in the department that set up the certificates and machines anthe they will using Microsoft's Intune for deploy .

Although I have access to a machine for testing ( name prueba) I can change the workstation setup and see how it is configured. The previous time , I set up the workstation with use certificates and user and machine authentication. Maybe I should choose a user instead of a machine. Only a user certificate, not any machine certificates, have been configured by my client. What could therefore be the issue?

I will be able to make a test tomorrow. Please let me know if you want me to perform a particular test or if you want me to investigate the error. I can attach the test on the post

Re: Behavor differtent user Ise certificates

Milos_Jovanovic — Mon, 28 Nov 2022 08:58:09 GMT

Unless you strictly define what you want to be permitted, there are no guarantees what will be used. For example, by default, Windows machine is using user or machine identity, depending if user is logged on or not. This way, you can't be sure what you will see and use in this scenario. Also, what is configured on one device is not neccessarily same thing that is configured on another device, so this might be a reason why you see both PEAP and EAP-TLS authentications. You need to define what exactly you want to use, and to configure workstation accordingly.

Kind regards,

Milos

Re: Behavor differtent user Ise certificates

athan1234 — Mon, 13 Mar 2023 11:41:11 GMT

hi, @Milos Jovanovic
I agree with you completely.

my clients needs connect using user certificate authentication over EAP-TLS.
It will be deploy via Microsoft Intune.
I am first trying different domain users without intune deploy.
I can set up the ssid user cert and eap-tls authentication user.

I struggle to understand in various circumstances:

how is it possible for a user to connect to an SSID without a certificate using user domain credentials ?

On the ise logs, I notice EAP-TLS (MSCHAV2), which I have never seen before.
The concept is to connect using a trusted certificate no user domain name and password .

Other tester was the user's certificate, without a user domain and pasword , in this way I am able to establish EAP-TLS performance.

I occasionally find this message in the logs.

I'm reading this article right now as I consider configuring Windows Intune.

https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-cisco-ise-mdm-with-microsoft-intune/ta-p/4187375

will i need to install the certificate in ISE?

Include DigiCert Global Root G2 on their list of reliable CAs.

Re: Behavor differtent user Ise certificates

Milos_Jovanovic — Thu, 01 Dec 2022 08:25:38 GMT

I believe it is due to Continue option you placed under 802.1x authentication rule. If user is not found, it would still proceed to authorization, and I assume something there is permitting him/her, regardless of authentication method. As already stated, this option is used only for MAB - if MAC address is not found, still proceed with authorization where redirection is happening.

Kind regards,

Milos

Re: Behavor differtent user Ise certificates

athan1234 — Thu, 01 Dec 2022 11:40:10 GMT

Yes you are right .

I just changed it for reject .Is better reject isen´it

Re: Behavor differtent user Ise certificates

athan1234 — Mon, 13 Mar 2023 11:41:39 GMT

I just created a test.
I receive the same message with a certificate.

Re: Behavor differtent user Ise certificates

Milos_Jovanovic — Thu, 01 Dec 2022 14:53:10 GMT

Hi @athan1234,

On ISE, under Trusted Certificates, go and check if your internal Root/Intermediate CA has selected option that it will trust certificates on dot1x (don't have ISE in front of me right now, so can't say how exactly this option is called).

Kind regards,

Milos

Re: Behavor differtent user Ise certificates

athan1234 — Sun, 12 Feb 2023 18:10:19 GMT

Hi @Milos_Jovanovic

yes I guess this is the option you tell me

I'm checking everything
This ISE was operational two and a half months ago, therefore the incidence became apparent to me.
I can see that the certificate was no longer valid.

I lack background in certificates.
I created a new certificate, created a CSR, and sent it to the CA's management to be bound to the new certificate and imported into the system.

When I look at the expired certificate, I discover a wilcard *domain.
Befor I can see the EAP check, I can't tell who is at work.

I configured SAN IP ise, domain resolution, hostname ise, and other settings in the new certificate I created.Perhaps that is the issue?

I attach both cerficates

EXPIRIED CERTIFICATE

NEW CERTIFICATE

Re: Behavor differtent user Ise certificates

Milos_Jovanovic — Sun, 04 Dec 2022 18:14:31 GMT

Yes, the option I was mentioning is "Trust for client authentication and Syslog". As I can see, this certificate is issued by Sectigo, and used on you ISE server(s). Which certificates are you using on client side? Are those also issued by Sectigo, or you are using your internal PKI for that?

Expired wildcard certificate should be replaced at some point, but it is not what is messing your dot1x. As wildcard is tied to pxGrid and RADIUS DTLS, I don't think it is related to your current issue. Furthermore, wildcard certiicate can't be used for dot1x, as clients are not trusting it.

Kind regards,

Milos

Re: Behavor differtent user Ise certificates

Arne Bier — Sun, 04 Dec 2022 21:19:37 GMT

The new cert looks good and to be honest, having the Admin and EAP signed by your internal PKI is often perfectly acceptable. Your expired cert was a public signed cert, and also contained a wildcard - this cert was possibly used elsewhere in the organisation. Wildcard certs and EAP typically don't play well together with Windows supplicants. I can't remember whether it's Digicert or some other CA ... with those guys you can apparently do wildcard EAP certs. But I would not bother with it. What you have looks good. I even put 3 year certs on my Admin and EAP, using internal PKI. Browsers and supplicants are happy with that.

The issue you face might be the Windows supplicant configuration. Is there a reason that you chose User Authentication and not Machine Authentication? Machine authentication is generally better because the machine gets connected during boot up, and will also stay connected when user logs out. The "user auth" in my opinion, does not require a network authentication to ISE. Rather let that be a Windows authentication to AD/Azure etc.

If you're using Intune, do you put machine certs on Windows computers?

Re: Behavor differtent user Ise certificates

athan1234 — Wed, 07 Dec 2022 21:57:10 GMT

Hi thanks for you reply
You are correct; I should have realized that there was another certificate for internal PKI signed with the ise this certificate had a error .

My certificate is accurate, yet I continue to receive an error.

Re: Behavor differtent user Ise certificates

athan1234 — Wed, 07 Dec 2022 21:58:12 GMT

Hello @Arne Bier, I appreciate your response.it's plausible that the supplicant made the mistake.
I obtain with a other PC for good authentication.
The client informs me that all of them have the same configuration.
I've tested the boss' PC and several others, and the outcomes are always the same error.I asked the client to leave the wireless settings unattended ( without intune) in those PCs, and even though I was able to set everything up correctly, I still received the same issue.Regarding user authentication, my client has chosen to implement it i do not whywhat will transpire
I'm crazy.
Do you have any suggestions for the test?
I downloaded wireshark for capture packet wifi on the client computer, however i can no see any packet transmit.

Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Normalised Radius.Ra
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EA
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request (
ms)
11018 RADIUS is re-using an existing sessi
12502 Extracted EAP-Response containing
response and accepting EAP-TLS as
12800 Extracted first TLS record; TLS hand
12545 Client requested EAP-TLS session ti
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange m
12809 Prepared TLS CertificateRequest me
12810 Prepared TLS ServerDone message
12505 Prepared EAP-Request with another
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing sessi
12504 Extracted EAP-Response containing
response
12505 Prepared EAP-Request with another
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing sessi
12504 Extracted EAP-Response containing
response
12505 Prepared EAP-Request with another
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing sessi
12504 Extracted EAP-Response containing
response
12505 Prepared EAP-Request with another
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing sessi
12504 Extracted EAP-Response containing
response
11514 Unexpectedly received empty TLS m
rejection by the client
61025 Open secure connection with TLS pe
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject

Re: Behavor differtent user Ise certificates

Arne Bier — Wed, 07 Dec 2022 22:15:55 GMT

The ISE Error detail gives a hint about the client perhaps not trusting the ISE EAP certificate. The clients MUST have all the CA certificates that were used in signing the ISE EAP System certificate installed.

Have you checked that all of the PSNs have the correct and expected EAP System certificate (signed by the PKI CA that the clients can trust? Each PSN can have its own EAP System cert ... if you have many PSNs then it's easy to not notice that at first glance)

As far as debugging goes, have you tried an ISE endpoint debug? You can use the MAC address of a failing wireless client and then debug that in ISE. With any luck, the endpoint debug will also capture the client certificate, which you can then download and inspect. Unfortunately you can't verify how the supplicant was configured - but you might get a copy of the client cert.

Re: Behavor differtent user Ise certificates

athan1234 — Sun, 12 Feb 2023 18:11:32 GMT

@Arne Bier wrote:
The ISE Error detail gives a hint about the client perhaps not trusting the ISE EAP certificate. The clients MUST have all the CA certificates that were used in signing the ISE EAP System certificate installed.
Have you checked that all of the PSNs have the correct and expected EAP System certificate (signed by the PKI CA that the clients can trust? Each PSN can have its own EAP System cert ... if you have many PSNs then it's easy to not notice that at first glance)
I am checking again it is increible I am seeing same node diferent name who it is possible wha is the propuse to have it this way oh my good
I created a CSR with name of node ISE i belive it was the problem

It is incredible, so I'm checking it again everything . I notice the same node with a different name; what is the proposed for it ? I can not uderstand it .Oh, goodness

I am seeeing a certificate with this name state ? without check any opcion

In this certificate I am watching the opcion uncheck do you thhink if I ccheck the opcions admin and EAP authentificacion it will works

///
I believed the issue was the node ISE, thus I established a CSR with that name ABTLPC02. I am making a dnslookup and the result for this ise node is a diferent IP

Re: Behavor differtent user Ise certificates

Milos_Jovanovic — Thu, 08 Dec 2022 09:03:54 GMT

I'm lost now. How many ISE servers are you using, and in what kind of deployment? Based on your DNS lookup, you have 2 of them - ABTLPC01 and ABTLPC02. Based on the screenshot provided above, you are using a single-node deployment of ABTLPC02. Also, on a screenshot above, you are presenting a cert screenshot of ABTLPC01, which is not part of the deployment?

Please clarify this, to start with. You should also check what is configured on your WLC, just to be clear which ISE node(s) is in use.

Kind regards,

Milos

Re: Behavor differtent user Ise certificates

athan1234 — Sun, 12 Feb 2023 18:12:23 GMT

Hi @Milos Jovanovic
Like you, I am lost.
I think the issue is related to DNS reverse.

I can see Only one ISE node exists.IP 10.76.33.102 for ABTLPC02

However, if I perform a nslookup on this ISE hostname, XXXXX, its IP address is 10.x.x.x, but it is not HTTP-reachable, suggesting that this IP is not an ISE node

As a result, if you see this certificate: The ISE is resolved by all of the subject alternative neme (SAN), whnw i puting in the browser each SAN : abtlpc01.abanteasesores.es or bienvenido.avanteasesores.com . get in in the node ise with hostname ABTLPC02

Because of these factors, the ISE node's hostname is 10.x.x.x. 102 hostname is xxxxxx.

WLC

I can see two IP addresses, however the IP 10.76.33.103 cannot be accessed via HTTP.

Re: Behavor differtent user Ise certificates

Milos_Jovanovic — Thu, 08 Dec 2022 19:23:00 GMT

If this is the case, let's go in in reverse:

Based on WLC configuration, ISE in use has IP 10.76.33.102 (more relevant screenshot would be from WLAN configuration, AAA section, but based on offered IPs and previus screenshots, this would be the best match)
Behind IP address 10.76.33.102 is ISE with hostname ABTLPC02
You need to fix DNS records, both forward and reverse, so it represents real hostname and IP address
Given that your hostname is ABTLPC02, and your screenshots - your certificate is not ok, as it is issued to ABTLPC01, so the cert warning is actually expected
You could do one of the following:
- Get certificate for ABTLPC02, and apply it for relevant roles (Admin, EAP-TLS)
- Reimage ISE, name it ABTLPC01, fix DNS records accordingly, and re-apply existing certificate
- Play arround with authorization policy and instead of returning default ISE hostname, return static FQDN of ABTLPC01

Given that your cert is issued by internal PKI, easiest one is to issue certificate for ABTLPC02, and relevant SANs.

Kind regards,

Milos

Re: Behavor differtent user Ise certificates

athan1234 — Sun, 12 Feb 2023 18:12:50 GMT

Hello, @Milos Jovanovic.
Thank you for your response. Keep in mind that when I first encountered this client, I had no prior knowledge of it. When I discovered that the hostname was ABTPCL02, I searched for certificates related to it but couldn't find any, so I created a new certificate with that hostname. It was only after I discovered that the user couldn't connect that I opened this post.

What is the best practice in this situation to modify the host name to ABTLPC01 add the current certificate, and check that the EAP and Admin options are functional?

or If I used my certificate, I would need to get in touch with the guys AD and ask them to perform a reverse DNS lookup.

What is the ideal method?