topic Re: ISE Dot 1x Wired Authentication in Network Access Control

ISE Dot 1x Wired Authentication

Dkiptoo — Thu, 02 Jan 2025 11:07:43 GMT

Am still new to this Technology. I have Dot1x wired authentication on my Local Network whereby ISE I believe authenticates domain joined PCs using User Certs and Root certs from a PKI Server. My PC currently cannot be authenticate and therefore cannot be placed on the right VLAN, and after checking , I get a error that certificate issued to the ISE by the PKI server has expired. How do I go about it? Where do I start to renew the cert.

Re: ISE Dot 1x Wired Authentication

Rob Ingram — Thu, 02 Jan 2025 11:13:34 GMT

@Dkiptoo is it just a PC that cannot authenticate or all of them? If it's a single PC (rather than all of them), then it's likely that computers' certificate has expired. If it's AD joined and the CA is the Microsoft CA then that CA will need to issue a new certificate, that should be automatic depending on how your GPOs are configured.

If all computers are failing to authenticate, that it could be the ISE "EAP certificiate" has expired, refer to this guide to renew the EAP certificate https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html just ensure the same CA issues the certificate, then you know the client computers will trust the certificate.

Re: ISE Dot 1x Wired Authentication

Dkiptoo — Thu, 02 Jan 2025 12:22:03 GMT

Yes it is an AD joined PC. It is only one PC having the issue

Re: ISE Dot 1x Wired Authentication

Dkiptoo — Sat, 04 Jan 2025 08:50:32 GMT

Hi Rob, just a follow up on the same, after accessing the ISE from another client machine, I realized the EAP certificate has expired. My question in, why am I still being able to access with another client machine if the Root certificate is expired. I expected not to authenticate other client machines. Your input kindly

Re: ISE Dot 1x Wired Authentication

Rob Ingram — Sat, 04 Jan 2025 08:56:36 GMT

@Dkiptoo I would expect the client machine to pop up a warning. Possibly the supplicant (on the computer) is configured not to validate the ISE EAP certificate and so no error/warning is displayed on the computer.

I assume you mean the ISE EAP certificiate is expired, not the root certificate that issued the EAP certificate?

Re: ISE Dot 1x Wired Authentication

Dkiptoo — Sat, 04 Jan 2025 10:31:12 GMT

Yes, the ISE EAP is the one that expired. I got a pop up on the client machine informing of the expired certificate

Re: ISE Dot 1x Wired Authentication

Rob Ingram — Sat, 04 Jan 2025 10:38:21 GMT

@Dkiptoo ok, so you accepted the warning and continued to be authenticated.

Renew the ISE EAP certificate as the link above, you should no longer have any client side warnings.

Re: ISE Dot 1x Wired Authentication

Dkiptoo — Tue, 07 Jan 2025 13:40:33 GMT

Hi Rob, thank you for your input. I was able to renew the EAP Certificate signed by the CA and services resumed normal. However I have 2 ISE nodes, PAN and Secondary and I did on the PAN. On the secondary it still show expired. Do I need to repeat the process on the secondary node again to keep them in sync? Currently they are not in Sync. The also during the process, I noticed despite all other client machines not being able to be authenticated due to expired certificate, there was still one machine that was still on the respective VLAN. Could this be a case maybe 802.1X is disabled on the specific switchport?

Re: ISE Dot 1x Wired Authentication

Rob Ingram — Tue, 07 Jan 2025 13:44:54 GMT

@Dkiptoo you need a certificate on each node, so repeat the process for the Secondary node - you do this from the Primary PAN, just select the other node.

Possibly 802.1X is not enabled on that port, check the switchport configuration and run "show authentication session interface <number> detail".