cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

110
Views
10
Helpful
3
Replies
Participant

EAP-TLS User Certificate Authentication with ISE

Hello, we're having a problem with EAP-TLS authentication. Here it is: 

 

A user certificate must be on the local machine before you can attempt user auth.  As soon as a user enters their password Windows will transition from computer to user auth even if there is no certificate available.  The certificate will only be enrolled in the user profile after the GPO has had a chance to run.  The cert enrollment can take up to an hour in its current state.

 

Is this the normal behavior for how this should work or is there something that I'm missing on AD or ISE that gets the user cert installed on the machine upon login in on the network? 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: EAP-TLS User Certificate Authentication with ISE

I don't remember where I found it now, but the diagram below was in an old Cisco doc related to 802.1x. It illustrates the order-of-operations for Windows 802.1x and GPO processes. From the work I've done with various customers in the past 3-4 years, there has been no change to this order-of-operations seen.

I would suggest contacting MS if you have doubts about this order.

 

When a new user logs in, most of the user profile stuff is transferred before the PC transitions to the User state. The certificate enrollment, however, does not happen until the GPO kicks in after the User state transition. My customers have not found a way to make the certificate roam with the user profile (which still won't help a new user), but maybe MS can confirm if that's possible.

Windows 802.1x order of operations.png

 

Cheers,

Greg

View solution in original post

3 REPLIES 3
Cisco Employee

Re: EAP-TLS User Certificate Authentication with ISE

Hi NETAD,

 

Unfortunately, this is how MS implemented 802.1x and certificate enrollment. The certificate enrollment happens as part of the User GPO push, but the 802.1x process to transition from a Computer state to a User state happens before the GPO. This causes the catch-22 scenario you're seeing.

This is one major reason for many customers making the decision to back off using User auth and just use Computer auth for Wired 802.1x when using EAP-TLS. Some customers also decide to use PEAP-MSCHAPv2 over EAP-TLS for this reason but, in an attempt to mitigate threats like pass-the-hash, the MS Credential Guard feature that's enabled by default in the Domain Policy for Win10 PCs with UEFI and SecureBoot enabled breaks MSCHAPv2. So, they've essentially broken option 2 without ever fixing option 1.

https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations 

 

You might consider using Computer auth or contacting MS to determine if they have (or are working on) a mechanism to resolve this inherent catch-22.

 

VIP Advisor

Re: EAP-TLS User Certificate Authentication with ISE

No that's not normal. If your GPO pushes the certificate, it has to be
enrolled once the user login and user profile created. Check your AD
configuration as this isn't caused by ISE.

The transition from machine authentication to user authentication is how it
should work when the user login.

***** remember to rate useful posts
Cisco Employee

Re: EAP-TLS User Certificate Authentication with ISE

I don't remember where I found it now, but the diagram below was in an old Cisco doc related to 802.1x. It illustrates the order-of-operations for Windows 802.1x and GPO processes. From the work I've done with various customers in the past 3-4 years, there has been no change to this order-of-operations seen.

I would suggest contacting MS if you have doubts about this order.

 

When a new user logs in, most of the user profile stuff is transferred before the PC transitions to the User state. The certificate enrollment, however, does not happen until the GPO kicks in after the User state transition. My customers have not found a way to make the certificate roam with the user profile (which still won't help a new user), but maybe MS can confirm if that's possible.

Windows 802.1x order of operations.png

 

Cheers,

Greg

View solution in original post