topic Re: Dot1x User Authentication with Certificates in Network Access Control

Dot1x User Authentication with Certificates

Dkiptoo — Wed, 03 Sep 2025 09:04:44 GMT

Hello, we have ISE as AAA server and is configured to authenticate network users using user certificates issued by our local CA server. Successfully authenticated users, which are AD users are placed on Corps VLAN otherwise guest vlan. I have an issue lately, the certificates for some of the users expired and now are on the guest vlan. The problem is I cannot renew the certificates directly from the client as they cannot reach the CA, due to being on the guest. I get the error that it cannot reach the server. How do I go about such an issue. How do I renew the certificates for other users. Thank you

Re: Dot1x User Authentication with Certificates

balaji.bandi — Wed, 03 Sep 2025 07:20:00 GMT

either you need to manually update the certs or make arrangement to push using GPO to end clients (so next time you will not have this issue)

is the ISE acting as CA Server or you have PKI infrastructure ?

Re: Dot1x User Authentication with Certificates

MHM Cisco World — Wed, 03 Sep 2025 07:25:28 GMT

Under these user port config

Access switchport mode vlan x

Disable 802.1x under port

After user re-new cert

Remove vlan and enable 802.1x again

MHM

Re: Dot1x User Authentication with Certificates

Rob Ingram — Wed, 03 Sep 2025 07:34:18 GMT

@Dkiptoo temporarily to resolve this issue, allow expired certificates to allow the devices network access:-

Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols > Default Network Access (custom name) and checking the box for “Allow Authentication of expired certificates to allow certificate renewal in Authorization Policy”.

Then amend you GPOs to automatically renew certificates before the expire.

Once certificates have been renewed, then disable the expired certificates.

Re: Dot1x User Authentication with Certificates

MHM Cisco World — Wed, 03 Sep 2025 07:49:51 GMT

This good idea

But then he never know what user have expired cert (authc failed) and user dont have expired cert

Let ISE failed authc to make him know that.

MHM

Re: Dot1x User Authentication with Certificates

Rob Ingram — Wed, 03 Sep 2025 07:56:16 GMT

You can determine what devices do have expired certifciates, create a new authorisation rule matching on CERTIFICATE Is Expired True. You can allow those devices just enough access to renew certificates. You will be able to run reports on what devices match this rule. All done centrally via ISE.

Re: Dot1x User Authentication with Certificates

MHM Cisco World — Wed, 03 Sep 2025 07:57:44 GMT

That more better'

MHM

Re: Dot1x User Authentication with Certificates

Dkiptoo — Wed, 03 Sep 2025 11:37:42 GMT

We have a dedicated PKI server which is Windows and is integrated to AD

Re: Dot1x User Authentication with Certificates

Dkiptoo — Wed, 03 Sep 2025 11:45:19 GMT

The environment is SDN based therefore I can see dot1x auth failures from the specific switch and also ports users are connected

Re: Dot1x User Authentication with Certificates

Dkiptoo — Wed, 03 Sep 2025 12:21:18 GMT

Thank you Rob, let me try this option. GPO to renew and auto enroll is already in place though

Re: Dot1x User Authentication with Certificates

Dkiptoo — Thu, 04 Sep 2025 18:47:46 GMT

Hi @Rob Ingram, tried following your workaround,however interestingly, I woke today with all devices on the network not able to authenticate and even reach DHCP server to get access to Internet. Unfortunately, Advantage Licence expired 19 days ago and we're in the process of renewing. I fixed it temporarily by enabling the Essential Licence after realising that it was disabled. But again despite all devices getting Internet, they are all placed on the guest. From the ISE license tiers, the Essential tier should provide basic AAA including dot1x authentication. Am trying to understand what could be the issue that all devices are on the guest, even domain joined Workstations with valid certificates and users. I would really appreciate for your input

Re: Dot1x User Authentication with Certificates

Rob Ingram — Thu, 04 Sep 2025 18:55:49 GMT

@Dkiptoo What features are configured in your authorisation rules? What rules are being matched or is authentication/authorising failing? Provide a screenshot of the live log of an example.

Re: Dot1x User Authentication with Certificates

MHM Cisco World — Thu, 04 Sep 2025 18:58:09 GMT

Share live log detail

Include steps

Include authc

Include authz

Let us check

MHM

Re: Dot1x User Authentication with Certificates

balaji.bandi — Fri, 05 Sep 2025 07:10:41 GMT

then you should able to push GPO and also client side try GP update.

Re: Dot1x User Authentication with Certificates

Dkiptoo — Fri, 05 Sep 2025 11:14:37 GMT

Hi Rob,

I was able to trace the issue to AD synchronization issue and therefore could not authenticate users, defaulting them to guest. Authentication & Authorization policies are fine. I would however l like however to get to know how do I apply the policy that will renew the certificated as earlier stated. Seems the policy in place didn't renew the user cert after making changes here "Policy > Policy Elements > Results > Authentication > Allowed Protocols > Default Network Access (custom name) and checking the box for “Allow Authentication of expired certificates to allow certificate renewal in Authorization Policy”."

Re: Dot1x User Authentication with Certificates

Rob Ingram — Fri, 05 Sep 2025 19:52:03 GMT

@Dkiptoo well first you need to make the changes on ISE to allow expired certificates, that will allow the computers on to the network. Once they have network connectivity if the GPO configuration for certificate enrollment is working, then the computers should renew their certificates.

It's the windows GPO settings that will renew the certifictaes, example:- https://lostintransit.se/2024/11/07/leveraging-gpo-to-distribute-user-and-computer-certificate/

Re: Dot1x User Authentication with Certificates

MHM Cisco World — Fri, 05 Sep 2025 20:50:11 GMT

Hi @Dkiptoo

There are two steps if yoh want use ISE for renew expired cert

1- allow expired in allow protocol <<- this done

2- add authz policy with condition

Attribute: Certificate Status

Condition: Equals

Value: Expired

Step 2 you missing it that so the policy use guest authz policy

Add it and everything will work.

MHM

Re: Dot1x User Authentication with Certificates

Dkiptoo — Thu, 11 Sep 2025 06:46:41 GMT

I have tried the first option but still no cert renewal requests or new renewals are reaching the CA.

Re: Dot1x User Authentication with Certificates

MHM Cisco World — Thu, 11 Sep 2025 06:51:40 GMT

This not option it steps

You need two steps

Re: Dot1x User Authentication with Certificates

Rob Ingram — Thu, 11 Sep 2025 07:05:43 GMT

@Dkiptoo wrote:

I have tried the first option but still no cert renewal requests or new renewals are reaching the CA.

@Dkiptoo if you modified the ISE to allow expired certificates, are the clients with expired certificates authenticated now and can they access the network?

If they have network access then the latest problem doesn't seem like an ISE problem. Has the client received the GPO with the correct settings to renew the certificates? Refresh the GPO on the client computers if needs be. Have you tried manually renewing certificates to see if that works, if that works that would imply a problem with the GPO settings.