topic Re: Cisco ISE - Windows 802.1x Certificate Based Authentication Issues in Network Access Control

Cisco ISE - Windows 802.1x Certificate Based Authentication Issues

Guy Greenshtein — Thu, 29 Jun 2023 04:13:27 GMT

Hello,

I'm having struggles with Windows 10 machines authentication process which is based on client certificates.

Before I will elaborate on the errors I observe, I'll share the configuration of components along the way.

Windows 10 configuration:

Holds the Root CA certificates and a personal computer (client) certificate signed by the CA (we are using a custom template)
WiredAutoConfig service is auto-running
NIC is configured to authenticate using 802.1x, smart card or other certificate as network authentication method, use a certificate on this computer

Switch configuration:

aaa new-model

aaa group server radius GRP-XXX-ISE
server name ISE01
server name ISE02

aaa authentication dot1x default group GRP-XXX-ISE
aaa authorization network default group GRP-XXX-ISE
aaa accounting dot1x default group GRP-XXX-ISE

aaa server radius dynmaic-author
client X.X.X.X server-key 7 XXX
client Y.Y.Y.Y server-key 7 YYY

dot1x system-auth-control

interface GigabitEthernet1/0/1
authentication control-direction in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3

interface GigabitEthernet1/0/2
device-tracking attach-policy IPDT_POLICY
authentication control-direction in
authentication event server dead action authorize XXX
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
radius-server directed-request

radius server ISE01
address ipv4 X.X.X.X auth-port 9812 acct-port 9813
key 7 XXX

radius server ISE02
address ipv4 Y.Y.Y.Y auth-port 9812 acct-port 9813
key 7 YYY

Cisco ISE configuration:

Root/Sub CA certificates
ISE signed certificates (for EAP)
NAD (user switch)
CAP (certificate authentication profile) pointing to subject common name and AD as identity store
EAP-TLS authentication policy set
Certificate parameters and AD membership authorization policy

I get the following errors on each device type:

Windows 10 - Authentication failed

Switch:

%DOT1X-5-FAIL Authentication failed for cliient with reason (No Response from Client) on Interface Gi1/0/1
%SESSION_MGR-5-FAIL: Authorization failed or unapplied for client on Interface Gi1/0/1. Failure reason: Authc fail. Authc failure reason: Cred Fail.
%DOT1X-5-FAIL Authentication failed for cliient with reason (Cred Fail) on Interface Gi1/0/2
%SESSION_MGR-5-FAIL: Authorization failed or unapplied for client on Interface Gi1/0/2. Failure reason: Authc fail. Authc failure reason: Cred Fail.

Cisco ISE:

22017 Selected Identity Source is DenyAccess
12831 Unable to download CRL22056 Subject
22044 Identity policy result is configured for certificate based authentication methods but received password based

22056 Subject not found in the applicable identity store(s)

Re: Cisco ISE - Windows 802.1x Certificate Based Authentication Issues

Ambuj M — Thu, 29 Jun 2023 04:39:00 GMT

clarify one more thing, is the CA used for issuing client certificate and ISE system certificate for EAP usage same ?

Also can I assume you have created a separate Identity source sequence calling certificate profile and AD under auth search list and using this Identity source sequence in your authentication policy ?

Re: Cisco ISE - Windows 802.1x Certificate Based Authentication Issues

Guy Greenshtein — Thu, 29 Jun 2023 06:30:30 GMT

The CA we are using in the system is global and used for client certificate issuing, as well as for all ISE related certificates, including EAP authentication.

I have an ISS in place that points to the created CAP for Certificate Based Authentication, as well as All_AD_Join_Points for Authentication Search List.

In the Advanced Search List Settings I configured the option for If a selected identity store cannot be accessed for authentication "Treat as if the user was not found and proceed to the next store in sequence".

Re: Cisco ISE - Windows 802.1x Certificate Based Authentication Issues

Aref Alsouqi — Thu, 29 Jun 2023 07:20:07 GMT

Could you please share the CAP configs and the authentication rule for review? it does seem that the EAP traffic coming from the client is not matching the right authentication rule.

Re: Cisco ISE - Windows 802.1x Certificate Based Authentication Issues

Guy Greenshtein — Thu, 29 Jun 2023 07:27:04 GMT

CAP configuration

Name - CAP Test

Identity Store - AD-Servers

Use Identity From - Any subject or alternative name attributes in the certificate (for Active Directory only)

Match client certificate against certificate in identity store - always perform binary comparison

General policy set rule:

Name - Rule 1

Conditions - RADIUS-NAS-Port-Type EQUALS Ethernet

Allow Protocols/Server Sequence - APS

(APS config - Allow PEAP, Allow EAP-TLS, Allow EAP-FAST, allow EAP-TTLS, Allow TEAP)

Authentication Policy:

Rule 1 - Conditions Wired_802.1X (Cisco ISE default), Use ISS sequence (stated in the post above)

I see actual hits on this rule.

Re: Cisco ISE - Windows 802.1x Certificate Based Authentication Issues

Aref Alsouqi — Thu, 29 Jun 2023 15:26:39 GMT

Could you please try to change the "Use Identity Form" to "Certificate Attribute" and select the attribute you see on the certificate? most likely it will be SAN - DNS. Also, could you try to change "Match Client Certificate" to "Only to resolve identity ambiguity" and test again?

Re: Cisco ISE - Windows 802.1x Certificate Based Authentication Issues

Ambuj M — Thu, 29 Jun 2023 18:23:35 GMT

why don't you start with a simpler authorization profile and see if it works for e.g certificate issuer contains <your CA name> and see if client authenticates, then add more conditions.

Re: Cisco ISE - Windows 802.1x Certificate Based Authentication Issues

hslai — Sun, 02 Jul 2023 07:14:19 GMT

@Guy Greenshtein : I like ammahend's idea -- good to start with simple.

> ... 22044 Identity policy result is configured for certificate based authentication methods but received password based

So, it does not seem ISE getting the client certificate.

Re: Cisco ISE - Windows 802.1x Certificate Based Authentication Issues

Guy Greenshtein — Sun, 02 Jul 2023 07:57:19 GMT

I agree that it's better to start with a very basic and simple condition and that is what I did - check the certificate issuer. After getting the error message, I understand that it is probably something that is related to the supplicant side, although it is weird since the NIC is properly configured to use Smart card or other certificate. I will check if it might be something related to GPO hardening or driver issue.