Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2918
Views
1
Helpful
5
Replies

Certificate not installed on Windows 10 endpoint

Go to solution
sr2290723
Level 1
Level 1

‎12-03-2017 06:41 AM

Hi,

I am doing a POC for my customer on ISE 2.2 patch 4. We tried on BYOD provisioning flow using ISE as CA on a Windows 10 endpoint connected to Cisco 2960S switch.

The provisioning process completed successfully, and I can see that the certificate is issued by ISE to the endpoint. However, when I verified in the endpoint, I can’t find it installed in any certificate store (machine or user).

Can anybody give me a light on how to troubleshoot this issue ? Appreciate any input.

Thank you,

Wiyandi

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-04-2017 06:01 PM

If the windows user itself is not a local admin user, then the certificate is installed under the certificate store of the local admin user whose credential is used when prompted for UAC. I would suggest either to use the local admin user or add the windows user to the local admin group.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎12-03-2017 01:09 PM

Please check out the how to guides for BYOD for step by step procedures using certificates and for on-boarding.

Also I am assuming that after the registration, the endpoint was able to access the network successfully.

ISE Design & Integration Guides

If you can authenticate successfully  I dont see a problem. Make sure you are logging in as administrator for opening local and machine cert.

https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in

-Krishnan

Go to solution
sr2290723
Level 1
Level 1
In response to kthiruve

‎12-03-2017 05:36 PM

Hi Krishan,

Thanks.

The problem is that although Cisco Network Assistant show as completed, but authentication using EAP-TLS fails. I don't even see there is a RADIUS authentication attempt using certificate.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-04-2017 06:01 PM

If the windows user itself is not a local admin user, then the certificate is installed under the certificate store of the local admin user whose credential is used when prompted for UAC. I would suggest either to use the local admin user or add the windows user to the local admin group.

0 Helpful

Go to solution
sr2290723
Level 1
Level 1
In response to hslai

‎12-12-2017 07:53 AM

Hi hslai,

Thank you. You are right.

So, if customer do not have any CA / PKI setup,I presume that ISE as a CA can’t be used as an alternative for issuing client certificates because company controlled machines where user normally do not have admin right to the machine. Am I right ?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to sr2290723

‎12-12-2017 07:56 AM

ISE internal CA is to be used for our BYOD automated process for machines where users have rights to install certs otherwise you need an way to automate

0 Helpful
Customers Also Viewed These Support Documents