07-24-2019 03:18 AM
Hi Guys,
I have machine and user authentication using MAR in place.
I have multiple certificates with the same CA-signed in my endpoint's certificate store (computer and user) and sometimes the endpoint uses a different certificate for the EAP authentication.
How can I configure the endpoint to use a specific certificate for EAP authentication? I am using Windows 10 and ISE 2.4.
Thanks
Solved! Go to Solution.
07-24-2019 03:53 AM - last edited on 07-24-2019 07:43 PM by hslai
Check this out : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj200227(v=ws.11)
For user certificates, Windows prompts the user to make a manual selection of which certificate to use. For computer certificates, the certificate with the highest weight is selected. If the selected certificate is the incorrect certificate for the connection, authentication fails. These filtering mechanisms are very rudimentary and user intervention is still required in most cases.
This is interesting but not sure if it applies for machine authentication in Windows :
Certificate weight as a filtering mechanism
When a Smart Card certificate is used for Pre-Logon-Access Provider (PLAP) scenarios, the weight of the certificate is also used for filtering. The weight of a certificate is determined by the certificate revocation list Distribution Point (CDP) and by the Authority Information Access (AIA) properties that are present in the certificate. AIA has a weight of 2 and CDP has a weight of 1. If both properties are present then Windows adds their weights together to determine the certificate weight. After this process, Windows selects and uses the certificate that has the highest weight value.
07-24-2019 03:53 AM - last edited on 07-24-2019 07:43 PM by hslai
Check this out : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj200227(v=ws.11)
For user certificates, Windows prompts the user to make a manual selection of which certificate to use. For computer certificates, the certificate with the highest weight is selected. If the selected certificate is the incorrect certificate for the connection, authentication fails. These filtering mechanisms are very rudimentary and user intervention is still required in most cases.
This is interesting but not sure if it applies for machine authentication in Windows :
Certificate weight as a filtering mechanism
When a Smart Card certificate is used for Pre-Logon-Access Provider (PLAP) scenarios, the weight of the certificate is also used for filtering. The weight of a certificate is determined by the certificate revocation list Distribution Point (CDP) and by the Authority Information Access (AIA) properties that are present in the certificate. AIA has a weight of 2 and CDP has a weight of 1. If both properties are present then Windows adds their weights together to determine the certificate weight. After this process, Windows selects and uses the certificate that has the highest weight value.
07-24-2019 04:00 AM
Hi @Surendra ,
Thanks for the feedback.
I cannot open the link it says 404- Content Not Found.
Technically, Windows 10 cannot do it automatically? I mean without user intervention?
How about the Simple Certificate Selection (Advanced Setting), will it help?
Thanks
07-24-2019 04:30 AM
07-24-2019 04:44 AM
Hi @Surendra ,
Thanks for the help.
Technically, it seems to be a limitation in the endpoint side.
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: