topic Re: Radius EAP-TLS user authentication not working in Network Security

Radius EAP-TLS user authentication not working

SecurityEng99 — Thu, 01 Aug 2024 14:12:12 GMT

Hello friends, I configured eap-tls configuration on Cisco ISE using a trusted certificate for both User and Machine for the machine that is in the domain. The machine authentication works fine, but the user authentication didn't work and didn't send anything because I don't see any log on the switch (with a "debug radius authentication) and nothing on ISE Radius logs. I tried to logout and log back in and also tried to restart the machine, but no luck. I'm using physical laptop windows 10 (22H2). Not sure if this is an issue on the windows or I'm missing something.

FYI, the user authentication is working fine with PEAP (MS-CHAp-V2).

Please let me know if you have any suggestion or advise ??

Re: Radius EAP-TLS user authentication not working

Marvin Rhoads — Fri, 02 Aug 2024 02:33:46 GMT

Two things to check:

1. How is the native supplicant configured? (Should be for "User or Computer Authentication" with single sign-on.)

2. Have you checked if Microsoft Credential Guard is configured? https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune#enable-credential-guard

Re: Radius EAP-TLS user authentication not working

SecurityEng99 — Mon, 05 Aug 2024 13:42:35 GMT

Hello @Marvin Rhoads

1- yes, I tried the Machine authentication and it works fine, but when I switch to User authentication it didn't work.

2- I enabled the "Microsoft Credential Guard" as mentioned in the documentation guide, but it is still not working.

I would say this is definitely a supplicant issue, but not sure about the root cause.

Re: Radius EAP-TLS user authentication not working

Marvin Rhoads — Mon, 05 Aug 2024 19:50:12 GMT

Credential Guard will cause the native supplicant to fail. It should be disabled unless you switch to certificate-based authentication.

Re: Radius EAP-TLS user authentication not working

SecurityEng99 — Mon, 05 Aug 2024 19:59:24 GMT

I'm using the smartcard or certificate option. In the additional setting, I'm using the User authenticatiion.

Re: Radius EAP-TLS user authentication not working

MHM Cisco World — Mon, 05 Aug 2024 20:00:44 GMT

PEAP ms-chap is work

Eap-tls not work

That meaning the endpoint trust server cert. But the server not trust endpoint cert.

Check the CA of both cert. It must issuer from different CA

Then check CA cert. In radius one CA cert. Is missing

MHM

Re: Radius EAP-TLS user authentication not working

SecurityEng99 — Mon, 05 Aug 2024 20:05:29 GMT

EAP-TLS for Machine authentication works (Cert-based)

EAP-TLS for User authentication is not working (Cert-based)

Re: Radius EAP-TLS user authentication not working

MHM Cisco World — Mon, 05 Aug 2024 20:25:57 GMT

User Cert. check the CA issuer or sub in radius server

MHM

Re: Radius EAP-TLS user authentication not working

Marvin Rhoads — Tue, 06 Aug 2024 09:08:19 GMT

If you are not seeing the authentication at all in ISE, then the supplicant must not be sending it.

Double check that your additional setting is using either a. User Authentication or b. User or Computer Authentication. Like this: