topic Re: Cisco ISE EAP-TLS in Network Access Control

Cisco ISE EAP-TLS

AFAWZY — Wed, 14 Feb 2024 16:41:38 GMT

If i need to use EAP-TLS as user authentication method for my TEAP authentication.

I was wondering how the user authenticate with his unique certificate ? , the user type his credentials , but how his certificate goes to different devices ?

Re: Cisco ISE EAP-TLS

MHM Cisco World — Wed, 14 Feb 2024 16:55:14 GMT

Can you more elaborate

Thanks

MHM

Re: Cisco ISE EAP-TLS

Aref Alsouqi — Wed, 14 Feb 2024 16:57:58 GMT

When we use EAP-TLS we don't type in any credentials as EAP-TLS will be using the machine or user certificate to authenticate. You mention TEAP authentication. TEAP authentication will allow EAP-Chaining natively on Windows without having to install any additional piece of software such as AnyConnect NAM.

When TEAP is in use, both the machine and the user authentications will be included in the same transaction. The configuration of each could vary, for instance, you can decide to do EAP-TLS for the machine authentication and EAP-PEAP (username and password) for the user. Or, you can use EAP-TLS for both of them. You configure those authentication methods in the endpoint NIC settings under the dot1x tab.

The certificate that will be presented by the endpoint during the authentication would be the one in the personal folder in the certificates containers in Windows, that would be the case for both the machine and the user, each will present its identity certificate that is hosted in the personal folder.

Re: Cisco ISE EAP-TLS

Rob Ingram — Wed, 14 Feb 2024 17:40:41 GMT

@AFAWZY its the Windows Group Policy Objects (GPO) that configures the device to use TEAP (with the machine and user certificates) for 802.1X authentication, a GPO would also configure certificate enrollment for the machine and users to automatically enrol for the certificates. When the user logs into a different device, they will not have a user certificate if they have never logged into that device before, its the user GPO settings that would send down the user certificate, which can then be used for 802.1X authentication.

Re: Cisco ISE EAP-TLS

AFAWZY — Wed, 14 Feb 2024 18:31:47 GMT

Thank you @Aref Alsouqi for your explanation.

I tried only PEAP (MS-CHAPv2) and i'm facing issue with wireless network access, and after searching i found that new windows has a feature called ( credential guard ) which has conflict with MS-CHAP, so users can't connect to SSID. I'm not sure yet that this is the problem for my wireless but alot of people face it. That's why i need to go away from PEAP and use TLS.

So, about your words " the one in the personal folder in the certificates containers in Windows " . how different users can get the certificate used for the authentication in the personal folder of the same machine ?. i need to understand this flow if user called Aref and another one called fawzy trying to authenticate through the same machine ( the user authentication phase ) , how the supplicant will use different certificate to authenticate and how the pc can get these different certificates.

@MHM Cisco World this can be my question with more explanation

Re: Cisco ISE EAP-TLS

AFAWZY — Wed, 14 Feb 2024 18:46:17 GMT

Thank you @Rob Ingram .

i need more explanation about the certificate automatic enrollment. and what is the suitable GPO configuration for the TLS user authentication.

and how pc get the certificate of the different logged in users for the same pc ?

Re: Cisco ISE EAP-TLS

Rob Ingram — Wed, 14 Feb 2024 18:52:20 GMT

@AFAWZY the GPO settings configures the computer to auto-enroll for a machine certificate, this is stored in the computer certificate store. For each user that logs into a computer they have their own unique user certificate store, when the GPO is configured they receive a user certificate which is stored in their own unique user certificate store. The user certificates are unique per user, so if another user logs into the computer (if configured) they will receive a different user certificate, which is stored in their unique user certificate store.

Examples:

https://www.packetswitch.co.uk/dot1x-certs/

https://integratingit.wordpress.com/2019/07/13/configuring-windows-gpo-for-802-1x-authentication/

Re: Cisco ISE EAP-TLS

Greg Gibbs — Wed, 14 Feb 2024 21:38:00 GMT

This is a tricky use case due to the order of operations that Windows has for initiating the 802.1x process before the User GPO kicks in. See this discussion for more info on that process.

https://community.cisco.com/t5/network-access-control/ise-deployment-eap-tls-machine-or-user-certificates-native/td-p/4094444

One option to help with this catch-22 situation using TEAP is discussed here:

https://community.cisco.com/t5/network-access-control/eap-teap-first-time-user-login-chicken-amp-egg-scenario/td-p/4475351