topic Actually we are not using AD, in Network Access Control

ISE certificate-authentication stops working when chaning Windows User account password

waheedullah Bahaduri — Mon, 11 Mar 2019 05:03:20 GMT

Hello

We have certificate-based authentication through ISE.

The issue is, clients who have certificate installed, when they change their local windows user account password, after that their certificate authentication fails and they can not connect to network using their certificate.

Then we have to reinstall their certificates . this means each time users change their win password, we have to also reinstall their certificates

Any advice, why it happening such ?

Any instructions ?

waheedullah Bahaduri — Thu, 25 Sep 2014 07:07:15 GMT

Any instructions ?

Certificate authentication

nspasov — Thu, 25 Sep 2014 21:08:39 GMT

Certificate authentication and standard AD username/password are separate and should not be affecting one another. A few questions:

1. What happens to the certificate after the user changes the password? Is the certificate still present in the certificate store?

2. What is the error message that you see in ISE? Post screen shot(s) of the live authentication screen and the details page

3. Post screenshots of your AAA policies in ISE (authentication and authorization)

Thank you for rating helpful posts!

Sounds like you are using

jan.nielsen — Fri, 26 Sep 2014 10:57:23 GMT

Sounds like you are using user certificates ? otherwise those two things should not be related at all.

Actually we are not using AD,

waheedullah Bahaduri — Sat, 27 Sep 2014 03:55:03 GMT

Actually we are not using AD, clients are in workgroup environment.

And yes the certificate is present in the certificate store after the users changes his win password.

Actually we don't get any error message on the ISE, while the users try to connect to network, no msg displays on ISE authentication page at all. it means the client doesnot send even any auth messages to ise as soon as he changes his win account password

Are the certs machine certs ?

jan.nielsen — Mon, 29 Sep 2014 04:23:46 GMT

Are the certs machine certs ? Are you installing the cert in the machine store in windows ?

Hmm, ISE should still get a

nspasov — Mon, 29 Sep 2014 05:21:27 GMT

Hmm, ISE should still get a log weather or not the supplicant/client responds to the Radius challenge. So from what you are describing the client is not even starting the EAPoL process.

So I have a few more questions:

1. How are CSRs generated, who signs them and how are the certificates installed on the endpoints

2. Is this for wireless or wired

3. Please provide a screenshot of ISE's authentication and authorization policies

4. What is the make, model and version of the NADs that you are using

5. Confirm that you are trying to perform EAP-TLS based authentication

Hi Jan, I am not that

nspasov — Mon, 29 Sep 2014 05:57:24 GMT

Hi Jan, I am not that proficient with AD/Workgroups so can you explain how changing a user password can affect a user certificate?

Hello, CSRs are generated as

waheedullah Bahaduri — Wed, 01 Oct 2014 07:03:10 GMT

Hello,

CSRs are generated as client-machine certifcates, and are being signed by our own private CA Windows-Server. and they are importerted to clients local-user & Loca-Machine certificate-store.

The certificates are used for wireless

NAD is the WLC , Version 7.4

Before I can provide more

nspasov — Thu, 02 Oct 2014 16:01:42 GMT

Before I can provide more help I will also need:

1. What is the error message that you see in ISE? Post screen shot(s) of the live authentication screen and the details page

2.. Post screenshots of your AAA policies in ISE (authentication and authorization)

Hi

U E — Tue, 06 Jun 2017 10:31:34 GMT

I know this thread is from a long time ago but I was wondering if anyone could offer any assistance. We recently installed CISCO ASA devices and we are having the same issues as this. We have installed user certs for client authentication and most but not every time the user updates his windows password we get certificate validation error and the user appears to lose access to his private key although if i look on the security tab of the key the user is still the owner. The only way we can then get the client to connect again is to re-install the cert and reboot the machine. The cert is in the user personal store.

has anyone else come across this kind of issue??

Thanks in advance

It happens with those users

waheedullah Bahaduri — Tue, 06 Jun 2017 13:21:13 GMT

It happens with those users having administrative rights with thier win account profiles. Limited account users may not face such issues when changing thier win user passwords

Hi and thanks for getting

U E — Tue, 06 Jun 2017 13:24:49 GMT

Hi and thanks for getting back to me it is much appreciated

The users were this is happening to are just standard domain users not admins

Can you clarify exactly what you mean by administrative rights within the user account profiles

sorry to be a pain

I was getting same issue with

waheedullah Bahaduri — Tue, 06 Jun 2017 14:42:42 GMT

I was getting same issue with those users whose windows account had aministrative priviledge who were in workgroup

However limited users do not face with such issues even if they change thier password.

Think our issue may be a bit

U E — Wed, 07 Jun 2017 10:00:28 GMT

Think our issue may be a bit different then as non of the users who are having the issues have administrative rights. They are all just domain users they reset the password then on next any connect login the receive the error "certificate validation error"

Thanks for getting back to me though