cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
481
Views
5
Helpful
4
Replies

Multiple Client Certificates

fatalXerror
Level 5
Level 5

Hi Guys,

I have machine and user authentication using MAR in place.

 

I have multiple certificates with the same CA-signed in my endpoint's certificate store (computer and user) and sometimes the endpoint uses a different certificate for the EAP authentication.

 

How can I configure the endpoint to use a specific certificate for EAP authentication? I am using Windows 10 and ISE 2.4.

 

Thanks

1 Accepted Solution

Accepted Solutions

Surendra
Cisco Employee
Cisco Employee

Check this out : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj200227(v=ws.11)

For user certificates, Windows prompts the user to make a manual selection of which certificate to use. For computer certificates, the certificate with the highest weight is selected. If the selected certificate is the incorrect certificate for the connection, authentication fails. These filtering mechanisms are very rudimentary and user intervention is still required in most cases.

This is interesting but not sure if it applies for machine authentication in Windows :

Certificate weight as a filtering mechanism
When a Smart Card certificate is used for Pre-Logon-Access Provider (PLAP) scenarios, the weight of the certificate is also used for filtering. The weight of a certificate is determined by the certificate revocation list Distribution Point (CDP) and by the Authority Information Access (AIA) properties that are present in the certificate. AIA has a weight of 2 and CDP has a weight of 1. If both properties are present then Windows adds their weights together to determine the certificate weight. After this process, Windows selects and uses the certificate that has the highest weight value.

View solution in original post

4 Replies 4

Surendra
Cisco Employee
Cisco Employee

Check this out : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj200227(v=ws.11)

For user certificates, Windows prompts the user to make a manual selection of which certificate to use. For computer certificates, the certificate with the highest weight is selected. If the selected certificate is the incorrect certificate for the connection, authentication fails. These filtering mechanisms are very rudimentary and user intervention is still required in most cases.

This is interesting but not sure if it applies for machine authentication in Windows :

Certificate weight as a filtering mechanism
When a Smart Card certificate is used for Pre-Logon-Access Provider (PLAP) scenarios, the weight of the certificate is also used for filtering. The weight of a certificate is determined by the certificate revocation list Distribution Point (CDP) and by the Authority Information Access (AIA) properties that are present in the certificate. AIA has a weight of 2 and CDP has a weight of 1. If both properties are present then Windows adds their weights together to determine the certificate weight. After this process, Windows selects and uses the certificate that has the highest weight value.

Hi @Surendra ,

Thanks for the feedback.

I cannot open the link it says 404- Content Not Found.

Technically, Windows 10 cannot do it automatically? I mean without user intervention?

How about the Simple Certificate Selection (Advanced Setting), will it help?

Thanks

I think in the URL there is ")" missing in the end when you click from this page. Anyways, SCS does not help specify a specific certificate to be used rather it simplifies the selection by showing only the relevant certificates to choose from and ordering those certificates smartly. It still involves user intervention.

Hi @Surendra ,

Thanks for the help.

Technically, it seems to be a limitation in the endpoint side.

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: