topic Re: User or machine EAP-TLS authentication for the first time in Network Access Control

User or machine EAP-TLS authentication for the first time

icarimo — Wed, 29 Jan 2025 23:58:20 GMT

I have a SSID with EAP-TLS using certificates.

Initially my GPO was configured to only use user certificate.

However we found a issue for new users, that was not possible to login via Wi-Fi on the first login. Since they don´t have the certificate to authenticate on Wi-Fi and to have the certificate it requires internet connection.

To fix it, I updated the GPO to use computer or machine certificate.
Now, before first login, the user is able to connect to Wi-Fi via machine certificate. However, after the user logins for the first time, immediately he is disconnected to the Wi-Fi, and can´t connect manually because the user does not have a user certificate.

My doubt is:

Is this the expected behavior?? I was expecting that we don´t lose Wi-Fi connection automatically ate this point during the logging process.
If point 1 is the expected behavior, how can we overcome this situation? Because I don´t have wired connections.

Thank you

Re: User or machine EAP-TLS authentication for the first time

icarimo — Thu, 30 Jan 2025 00:02:52 GMT

My current GPO:

Re: User or machine EAP-TLS authentication for the first time

Flavio Miranda — Thu, 30 Jan 2025 00:22:11 GMT

@icarimo

I think this is expected behavior. There are some discussions here in the forum related, this one below is a bit old but I believe can help you somehow.

https://community.cisco.com/t5/network-access-control/ise-deployment-eap-tls-machine-or-user-certificates-native/td-p/4094444

Re: User or machine EAP-TLS authentication for the first time

icarimo — Thu, 30 Jan 2025 00:25:36 GMT

Hello Flavio,

Thank you so much for the feedback.
Yes, I saw several discuss about this issue, however I didn´t no what is the solution to fix it 😕

If you have ever faced it, please, let me know.

Re: User or machine EAP-TLS authentication for the first time

Greg Gibbs — Thu, 30 Jan 2025 00:33:26 GMT

This is absolutely expected behaviour due to the fact that the User GPO does not get applied until after the transition to the User state as shown in the order of operations image in the post shared by Flavio.

The best workaround for this 'catch-22' situation is using TEAP(EAP-TLS) as described in this discussion:
https://community.cisco.com/t5/network-access-control/eap-teap-first-time-user-login-chicken-amp-egg-scenario/td-p/4475351

Re: User or machine EAP-TLS authentication for the first time

Scott Fella — Thu, 30 Jan 2025 00:35:36 GMT

Usually the device is provisioned before the end user gets it. That way everything is ready to go. What I have seen done was to have another rule to allow PEAP or machine auth and then a GPO is pushed to prevent the onboarding SSID from being viewed/selected.