Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
0
Helpful
5
Replies

802.1X Windows authentication with ISE 3.1 with new Certificate

joeharb
Level 5
Level 5

‎10-04-2023 10:37 AM

We are in the process of replacing our existing PKI infrastructure with a new Root and CA.  We are using a GPO pushed profile and are having issues with clients connecting if they only have the new certificate deployed to their workstation.  The client states that the certificate can't be be found for this connection.  I have asked the AD administration to make sure that the new Root and CA are added to the wifi profile for both server and client certs but still having issues with connecting.  I have created the profile directly on the same laptop and made sure to trust both legacy and new certs and it connects without issue.  My main ask here is does anyone know how I can prove that the issue is with the profile and point the AD administrator in the proper direction to resolve.

Thanks,

Joe

0 Helpful
5 Replies 5

ammahend
VIP
VIP

‎10-04-2023 11:10 AM - edited ‎10-04-2023 11:10 AM

Is the new CA root cert added to ISE trusted certificate store ?

Also share live log details from ISE for any one failed client.

-hope this helps-
0 Helpful

joeharb
Level 5
Level 5
In response to ammahend

‎10-04-2023 11:16 AM

Yes the new Certs are added to the ISE deployment, I have looked at the ISE live logs and it appears the identitiy is the MAC address of the machine.  I have also capture good and bad authentications from the WLC and it appears that the client never responds with it's identity when using the GPO profile, but when I use the manually created one does. I feel fairly confident that the client is not presenting anything since it doesn't want to use the new certificate signed by the new CA, but not sure how to provide it...

Thanks,

Joe

0 Helpful

ammahend
VIP
VIP
In response to joeharb

‎10-04-2023 11:46 AM - edited ‎10-04-2023 11:48 AM

how far do you go when you do a capture on endpoint, under client key exchange I think you can see certificate details, something like below, I think it also give issuer detail, then you can prove if the cert format look different  Vs working one,  I don't have a machine t capture right now, but you can play around with this

ammahend_0-1696445028575.png

 

-hope this helps-
0 Helpful

joeharb
Level 5
Level 5
In response to ammahend

‎10-05-2023 07:21 AM

I have tried to do a capture on the laptop that I am testing with but I get no packets within wireshark when trying to connect to the wireless.  The capture I do have is from the WLC and I don't ever see a client hello sent...it looks like request for identity is sent to client but it never responds and my assumption is that it isn't responding because it doesn't have a certificate that is signed by a CA that the profile is expecting.  It is very frustrating that within window 10 you can't see the settings (even if I can't modify) of the profile that is provided by our GPO, or maybe I am just missing it...

Thanks,

Joe

0 Helpful
Customers Also Viewed These Support Documents