Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1966
Views
0
Helpful
2
Replies

Windows 10 EAP-TLS client authentication not working but machine does

joeharb
Level 5
Level 5

‎11-09-2019 06:17 AM - edited ‎02-21-2020 11:11 AM

We are rolling out dot1x and are having issues with user authentication. Both the client and machine certs as well as the Eap cert on ISE were signed by our internal CA and PEAP works without issue.  If I set the supplicant to EAP-TLS and only Computer authentication everything works fine. User will not authenticate, and the ISE logs state the supplicant stopped responding. I have a TAC case open and we have discovered that the supplicant doesn’t respond with the client/user cert in the radius access-request after it has received the access-challenge from ISE that contains the full ISE chain. The capture of the machine authentication shows the response with the TLS certificate chain of machine. Does this mean the client doesn’t trust ISE but the machine does?  I have checked the cert store for both user and computer and they contain the intermediate and root CA. 

Has anyone else had this issue?

 

Thanks

 

Joe

0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎11-09-2019 09:31 AM

If you are worrying about the client auth not trusting ISE, then you may set it to not verify the server certificate.

It's likely MS Windows OS has trouble to retrieve the client certificate in the user cert store or it does not consider it a proper certificate for EAP-TLS. TAC might be willing to help recreating it. You might also consider engaging Microsoft support.

0 Helpful

joeharb
Level 5
Level 5
In response to hslai

‎11-09-2019 09:45 AM

Thanks for the response, the ISE logs show the user name that is in the certificate, and when I tell the supplicant to use a different username it prompts for the certificate and the only one that is valid is the intended certificate.  I will try to change the client to not check the certificate, but I don't understand if that is truly the issue that machine works.

I am hoping to get support from MS next week.

 

Thanks,

 

Joe

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents