https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5152583#M590907 <P>i am not understanding your question ?</P> <P>some certificates you can put a password etc.. but the password is not very helpful as it can be cracked ... what i am saying if you make it non exportable is good.. The best option is to use non exportable with TPM for best security ..</P> <P>**Please click on Helpful button if this was useful**</P> <P>you</P> Mon, 29 Jul 2024 02:15:02 GMT ccieexpert 2024-07-29T02:15:02Z https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5151490#M590873 <P>Dear Community,</P> <P>Current we plan testing&nbsp;EAP-FAST (Eap-MSCHAPv2, Eap-TLS) authentication.</P> <P>By Machined join domain and get certificate to be trusted device. What if the another new machine imported certificate (export cert from PC trusted machined) , does it work or not for the new machine connection to ISE? thanks.</P> <P>Thanks,</P> <P>&nbsp;</P> Fri, 26 Jul 2024 08:41:06 GMT https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5151490#M590873 Da ICS16 2024-07-26T08:41:06Z https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5152063#M590886 <P>Hi if you mark the certificate as non exportable it will provide protection, but if its not TPM protected, then a malware may be able to export it.&nbsp;</P> <P>The best protection is to use TPM and not all machine have TPM (older ones), but alteast blocking private key export in your cert template is a good fall back..</P> <P><A href="https://polansky.co/blog/tpm-backed-certificates-windows/" target="_blank">https://polansky.co/blog/tpm-backed-certificates-windows/</A></P> <P>**Please click on Helpful button if this was useful**</P> Sat, 27 Jul 2024 04:02:36 GMT https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5152063#M590886 ccieexpert 2024-07-27T04:02:36Z https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5152581#M590905 <P>Dear&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1481123">@ccieexpert</a>&nbsp;,</P><P>If we do not put passkey on certificate and some one will perform this case, does it work?</P><P>Thanks,</P> Mon, 29 Jul 2024 01:56:20 GMT https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5152581#M590905 Da ICS16 2024-07-29T01:56:20Z https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5152583#M590907 <P>i am not understanding your question ?</P> <P>some certificates you can put a password etc.. but the password is not very helpful as it can be cracked ... what i am saying if you make it non exportable is good.. The best option is to use non exportable with TPM for best security ..</P> <P>**Please click on Helpful button if this was useful**</P> <P>you</P> Mon, 29 Jul 2024 02:15:02 GMT https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5152583#M590907 ccieexpert 2024-07-29T02:15:02Z https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5152584#M590908 <P>OK understand. thanks.</P> Mon, 29 Jul 2024 02:28:25 GMT https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5152584#M590908 Da ICS16 2024-07-29T02:28:25Z https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5152586#M590909 <P>Your welcome:)</P> <P>**Please dont forget to rate as helpful and also accept as solution if this was indeed helpful**</P> Mon, 29 Jul 2024 02:36:04 GMT https://community.cisco.com/t5/network-access-control/testing-eap-fast-eap-mschapv2-eap-tls/m-p/5152586#M590909 ccieexpert 2024-07-29T02:36:04Z