Hello everyone,
I am currently building a new network based on Cisco DNA (SD-Access) architecture.
The network is planned to be a shared service for several companies residing in one building.
The company's separation is achieved via placing the users of every company into the different Virtual Network (VRF) on the Fabric, based on 802.1x authentication and authorization performed by ISE 3.0 connected to MS AD domains.
Virtual Networks have separate IP pools, and traffic is routed via different firewalls.
To achieve the better security between the aforementioned companies, I've decided to go with the Closed Authentication mode on the Fabric Access ports ("Authentication must succeed prior to the network access"), so the end user hosts don't have IP and networking stack until authenticated, only EAP traffic is flowing.
That works fine with EAP-PEAP + MS-CHAPv2 (user/password authentication), but I have troubles implementing the certificated-based authentication.
On the clients (testing with Windows 10 build 19042), in the CAPI2 logs, I see that the OS is trying to perform the certificate revocation check for the client certificate that must be presented to the ISE, and this check fails due to the unavailable CRL and OCSP ("The revocation function was unable to check revocation because the revocation server was offline").
That is not a surprise - the networking stack and IP address are missing - but I can't understand whether it is valid client behavior or not. Shouldn't there be "fail-open" approach in such case?..
Do I miss some configuration on the clients?..
In general, what do you think about such a scheme?
Is it theoretically working?
Or should I place all the clients into the separate Virtual Network with Open Authentication mode, and then perform authentication with placing the into the correct Virtual Network?
