Solved: Re: 802.1x Certificate authentication work flow

MrBeginner · ‎09-28-2019

Dear All,

I am beginner. I didn't understand 802.1x wired authentication with certification.

Whenever we are using machine authentication or user authentication with cert,we need to install root cert and user cert or root cert and machine cert in client domain joined PCs.So if I use wrong user cert or machine cert which are not joined domain,I always see user not found error.this mean this process ever check domain user acc or computer acc in domain?

Because i try to use manual request and install cert in workgroup PCs .it also show user not found error. So can I use other domain user acc cert to install in workgroup PCs and can use in authentication? One user acc can authenticate concurrently?

I also want to know in 802.1x authentication we need to always power on the CA server? Can I shutdown the CA servers if cert enroll is finished ?

Colby LeMaire · ‎09-30-2019

That is correct. You could even authenticate a Linux machine or MacBook at that point. ISE just checks that the certificate is valid. And all ISE needs for that is the CA certificate in its trusted certificate store and within the CA certificate config, make sure you check the option for "Trust for client authentication". That's it. No need for AD.

View solution in original post

Colby LeMaire · ‎09-28-2019

There are a lot of variables in your questions. I will try to break them down in pieces.

- For ISE to authenticate the client certificate, the Root or Intermediate CA certificates need to be installed in ISE's certificate store and trusted for client authentication. This would be the Root/Intermediate that issued the client certificate.

- If the client/supplicant is configured to verify the server's identity, then the Root/Intermediate CA certificate of the server that issued ISE it's EAP Authentication certificate must be installed on the client in its trusted certificate store. If the client is not configured to verify the server, then you won't need this. But I recommend it for security.

- To authenticate a certificate, ISE uses a Certificate Authentication Profile (CAP). In that CAP configuration, you tell ISE what field in the certificate to use as the "identity". There is also an option to check against Active Directory to resolve ambiguity. If that option is checked, then ISE will check for the "identity" in AD. If not there, then you will get the error of user not found. But you don't need to check AD. If that option is not checked, then ISE will just verify the certificate is valid and issued by a CA that ISE trusts.

- If you have any rules in the authorization policy that check for group membership, then ISE will need to check AD using the "identity" from the certificate based on your CAP.

- Again, it doesn't have to check AD for certificate authentication. But you have to make sure your CAP configuration is not setup for checking AD.

- The user certificate will be assigned to a particular user on the machine and I don't believe can be used for other users on the same machine. The machine certificate can be used for the machine no matter who is logged in.

- You don't need the CA server online unless you have your CA certificate configured for doing certificate revocation checks using CRL or OCSP. If that is not configured, then your CA can be offline. ISE just verifies that the certificate is valid and that it was issued by a CA that ISE trusts.

Hope that helps!

MrBeginner · ‎09-29-2019

Hi,

Firstly i want to say Thanks for your detail explanation.

I would like to ask depend on your answer.

==> But you don't need to check AD. If that option is not checked, then ISE will just verify the certificate is valid and issued by a CA that ISE trusts. <==

1. This mean can we use this method for workgroup computers to authenticate 802.1x ?

if we didn't check AD,which resource are using to check it is valid or not ,it will use CAP only ? we don't need to create local user in ISE ?

Colby LeMaire · ‎09-30-2019

That is correct. You could even authenticate a Linux machine or MacBook at that point. ISE just checks that the certificate is valid. And all ISE needs for that is the CA certificate in its trusted certificate store and within the CA certificate config, make sure you check the option for "Trust for client authentication". That's it. No need for AD.

paul · ‎09-30-2019

Just a follow-up on this. We typically don't use AD in our CAPs as we want them to function for all use cases. Our CAPs just point to the SAN field for identity and we leave it at that. So as Colby mentioned in the authentication phase ISE is only checking that the certificate is valid, not revoked (if you have revocation checking enabled) and that it was issued by a CA that ISE has trust for client authentication enabled.

Now once you get to the authorization phase you can do all sort of magic including AD group lookups:

EAP-TLS and Member of Domain Computers
EAP-TLS and Member of Domain Users
EAP-TLS and issuer common name Call Manager
EAP-TLS (to catch other valid cert auths)

levijunior796510852 · ‎05-02-2022

Hello Colby, How you doing?

Please! In Jesus name! I need your help solve a case with my ISE enviroment.

We have an infrastructure with Cisco ISE 2.6 integrated with Microsoft Active Directory.

In a policy we have, computers can only enter the network if they are members of the internal domain. When configuring the ISE placing the CA Root certificate of the domain inside the repositories of trusted authorities of the ISE. And obviously this same certificate is present on the computers in the domain.

What is the problem we are currently facing: Suddenly some machines lost connection with the WIFI provided with ISE. It doesn't even come in. Unless... we take the computer, take it out of the domain and then reinsert it again. Then the connection is made automatically again. However, if I delete this connection from Windows, it doesn't connect again even by praying.

My questions are:

1) Which certificate does ISE use to do the handshake?

2) Which certificate must the client computer have installed to close the handshake?

Thank you a lot!

Colby LeMaire · ‎05-02-2022

For 802.1x authentication, ISE will present its "EAP Authentication" certificate. You can see this certificate in ISE under Administration->System->Certificates. The one that has the "EAP Authentication" option selected will be presented. Each ISE node in your deployment can use different certificates so you need to check each PSN.

The client should have the Root/Intermediate CA certificate of the CA that issued ISE its "EAP Authentication" certificate in the client's trusted certificate store. That will allow the client to trust the ISE node.

Separately, the client would have its own identity certificate installed within the personal certificate store on the computer. That certificate should have the EKU option of "Client Authentication". This would be the certificate that says this is computer X or user Y.

For ISE to authenticate that identity certificate, ISE should have the CA certificates installed in its own trusted certificate store and then the option within it to trust for client authentication.

levijunior796510852 · ‎05-02-2022

Hi Colby, So it would be: 1) In ISE I need to have my root CA certificate installed in the trusted authorities area. 2) On the client computer I need to have the same root CA certificate installed in the Trusted Certification Authorities area. 3) On the client computer, to enter this wifi network using the domain's computer account, do I need to have a certificate installed in the personal area of the computer? In other words I would need a gpo to push a certificate used only to authenticate computer. That's it?