topic Re: Using 802.1x wired + which cert?? in Network Access Control

Using 802.1x wired + which cert??

siryonz — Sat, 22 Jun 2024 04:23:58 GMT

Hey ! First post here but desperate to pick some brains here. We are implementing 802.1x on the wired side and infosec wants to prevent BYOD so I've found myself drowning in the 802.1x cert based/machine authentication space. We are currently using 802.1x + EAP for wireless which works just great. On the wireless side, we have never had to push our 3rd party CA EAP cert to clients but instead it was trusted upon authentication and worked ( I think bc public certs like GoDaddy are preinstalled on common vendor device). Now, can I use that same EAP cert we are using for wireless for wired as it is installed in ISE already? If so, what do I need to do to get that onto my endpoints (Windows/MacOS)? Thank you in any case.

Re: Using 802.1x wired + which cert??

Rob Ingram — Sat, 22 Jun 2024 05:22:12 GMT

@siryonz

You can use the same client certificate (user or machine) for wired and wireless authentication, which ISE would trust if you are already using it. ISE uses the EAP certificate for authentication, if this is the public GoDaddy certificate then the client devices need to trust this certificate.

You just need to configure the native supplicant for the wired interface with the correct configuration, authentication method and trusted CA - https://integratingit.wordpress.com/2019/07/13/configuring-windows-gpo-for-802-1x-authentication/

Re: Using 802.1x wired + which cert??

siryonz — Sun, 23 Jun 2024 02:19:07 GMT

Grateful for your response Rob. I have configured supplicant using smartcard/certificate method, EAP authentication method, and checked the GoDaddy root authority in the trust store, but no luck.

1.) So I guess there is some confusion about what cert and where it needs to be installed on the endpoint. I have not loaded anything relative to my client EAP certificate in the computer or user 'personal' folders (see attached). Just the root and intermediate Go Daddy certs in the trusted store on my endpoint which are checked for trusted.

2.) is the generic GoDaddy root certificate enough or do I need to install my client EAP cert in one of the folders also? I;m confused on the flow. I will try to learn how to do a packet capture to capture the conversation.

Re: Using 802.1x wired + which cert??

Rob Ingram — Sun, 23 Jun 2024 05:49:25 GMT

@siryonz of those 3 certificates in the personal certificate store, doe ISE trust those CAs? You can see what authentication method and what certificate was used by your wireless clients by looking in the ISE live logs for an authentication session.

You can also check your authentication configuration settings on client supplicant to confirm what is configured and mirror that for the wired interface configuration.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

Re: Using 802.1x wired + which cert??

siryonz — Sun, 23 Jun 2024 07:06:35 GMT

Rob,

No, none of those are trusted on ISE. So do I need to install my EAP client cert (trusted and exported from ISE) into the personal certificate store for this to work? I was under the impression just the root Godaddy cert into trusted store and the intermediate into trusted store and, like wireless, ISE will present my client cert to endpoint for trust upon authentication.

Re: Using 802.1x wired + which cert??

Rob Ingram — Sun, 23 Jun 2024 07:15:13 GMT

@siryonz

You don't need to export the EAP certificate used by ISE and import to the clients. If the client trusts the public GoDaddy certificate they can validate ISE's certificate. If the client has a certificate issued by another CA, then ISE needs to trust those CAs in order for ISE to validate the client certificates (import to ISE's trusted certificate store).

Detemine how it's currently working for wireless authentication and mirror this, assume it's configured correctly. Did you check the ISE logs to confirm how those clients are authenticated and which CA is in use?

Re: Using 802.1x wired + which cert??

siryonz — Sun, 23 Jun 2024 07:27:13 GMT

ok to be safe. I will make sure GoDaddy is trusted in both intermediate and root stores. I will do this in both user and computer certificate stores. As for live logs, I do not see anything relevant to a CA. I see an EAP key and also see user and group results from AD which we use to resolve identities.

Re: Using 802.1x wired + which cert??

Rob Ingram — Sun, 23 Jun 2024 07:40:14 GMT

@siryonz GoDaddy is not the CA that issued the client certificate, what ever CA issued the certificate in the user/machine Personal store is what you need to import to ISE trusted store.

If you are already using certificates for wireless authentication, then ISE should already trust that certificate!!

Have you looked at the wireless authentication settings in the client to confirm what is configured?

What authentication method is used? Definitely EAP-TLS? Or PEAP/MSCHAPv2? Provide the output for review.

Re: Using 802.1x wired + which cert??

Ferdaush — Mon, 03 Mar 2025 11:42:57 GMT

Thanks