cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Register for SecureX webinars to learn about our newest integrations and features.

843
Views
0
Helpful
1
Replies
Numen_D1v1num
Beginner

Closed Authentication mode and certificate-based authentication

Hello everyone,

 

I am currently building a new network based on Cisco DNA (SD-Access) architecture.

The network is planned to be a shared service for several companies residing in one building.

The company's separation is achieved via placing the users of every company into the different Virtual Network (VRF) on the Fabric, based on 802.1x authentication and authorization performed by ISE 3.0 connected to MS AD domains.

Virtual Networks have separate IP pools, and traffic is routed via different firewalls. 

 

To achieve the better security between the aforementioned companies, I've decided to go with the Closed Authentication mode on the Fabric Access ports ("Authentication must succeed prior to the network access"), so the end user hosts don't have IP and networking stack until authenticated, only EAP traffic is flowing.

That works fine with EAP-PEAP + MS-CHAPv2 (user/password authentication), but I have troubles implementing the certificated-based authentication.

 

On the clients (testing with Windows 10 build 19042), in the CAPI2 logs, I see that the OS is trying to perform the certificate revocation check for the client certificate that must be presented to the ISE, and this check fails due to the unavailable CRL and OCSP ("The revocation function was unable to check revocation because the revocation server was offline").

That is not a surprise - the networking stack and IP address are missing - but I can't understand whether it is valid client behavior or not. Shouldn't there be "fail-open" approach in such case?..

Do I miss some configuration on the clients?..

 

In general, what do you think about such a scheme?

Is it theoretically working?

Or should I place all the clients into the separate Virtual Network with Open Authentication mode, and then perform authentication with placing the into the correct Virtual Network?

1 ACCEPTED SOLUTION

Accepted Solutions
Numen_D1v1num
Beginner

I have figured it out.

The scheme is possible and working.

The issue was with the user certificates - there was a reference to the OCSP URL in the AIA field. Once we got rid of it (only CRL is left), everything start working like a charm.

In general, I believe that is the specific behavior of the Windows clients.

View solution in original post

1 REPLY 1
Numen_D1v1num
Beginner

I have figured it out.

The scheme is possible and working.

The issue was with the user certificates - there was a reference to the OCSP URL in the AIA field. Once we got rid of it (only CRL is left), everything start working like a charm.

In general, I believe that is the specific behavior of the Windows clients.

Create
Recognize Your Peers
Content for Community-Ad
Additional Cisco Threat Response Resources


August's Community Spotlight Awards