Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
4
Helpful
6
Replies

An EAP-TLS Wi-Fi is Aksing for Username and Password

Matthew Martin
Level 5
Level 5

‎06-04-2024 12:22 PM

I had an 802.1x EAP-TLS Wi-Fi network working in Windows NPS to auth PC's based on a machine certificate on the company laptops.

I'm trying to get this working on ISE. But, for some reason I'm being prompted for a Username and Password.

I pushed the Wi-Fi network settings to a test laptop using GPO. It's configured for Smart Card or other certificate Authentication, and the Mode = Computer. Under Properties I checked off our internal CA server as the Trusted CA.

MatthewMartin_2-1717523309545.png

Then, on ISE I followed this guide to setup the Cert authentication, Policy Sets, Certificate Authentication Profile, etc...

MatthewMartin_3-1717523594548.png

When the test client laptop tries to connect, I am getting prompted for a Username and Password... No idea why this is prompting me.

I have almost the exact same Policy Set for Wired, minus the Called-Station-ID condition, and Wired does not prompt for username and password. So I'm not sure why Wireless is.

Any ideas why this would be prompting for a username and password? Any thoughts would be greatly appreciated!

-Matt

0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎06-04-2024 12:32 PM

@Matthew Martin has the GPO with these settings been applied to the computer? as opposed to the user.

0 Helpful

Matthew Martin
Level 5
Level 5
In response to Rob Ingram

‎06-04-2024 02:54 PM

Correct, GPO is applied to Computer according to "gpresult /r /scope computer".

Would that be something on the ISE side that is causing the Login Prompt? I tried removing the condition in Policy Sets that says the device needs to be in "Domain Computers" group and I still prompted. So I added that condition back...

-Matt

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Matthew Martin

‎06-04-2024 04:25 PM

The Authentication Mode = Computer will only trigger an 802.1x authentication when in the Computer state (before the user logs in or after the user logs out). The supplicant does not have a profile for automatic user authentication using EAP-TLS, which is why you're being prompted for credentials (for PEAP[MSCHAPv2]).

If you want the supplicant to automatically authenticate when in the User state, you would need to change the Authentication mode to either 'User or Computer Authentication' or 'User Authentication'. The latter will mean there will be no network access in the Computer state.

Rob Ingram
VIP
VIP
In response to Matthew Martin

‎06-05-2024 12:25 AM

@Matthew Martin If it's prompting for authentication I believe this is a supplicant issue. If the supplicant was configured correctly, I'd expect the authentication request to be sent to ISE and the ISE logs to reflect a failed authentication (if the ISE rules where incorrect/not matched), not prompt for credentials on the computer side.

If the device is configured for "Computer authentication" 802.1X can trigger in the user state, it sends the computer credentials to ISE.

johnwood-mt
Level 1
Level 1

‎06-05-2024 12:27 AM

Hey Matt,

I can totally understand the frustration when things don't work as expected, especially when you’ve got everything working smoothly for your wired network but hitting a snag with wireless. Let's dive into this and see if we can figure out why you're being prompted for a username and password on the wireless setup.

 Double-Check Your Settings

1. Certificate Authentication Profile:
- Ensure that the profile is correctly set up in ISE to use machine certificates. It’s easy to miss a setting here that might default to user authentication.

2. Policy Sets:
- Compare your wireless policy set with your wired one. Since the wired one works without prompting, there might be a subtle difference. Pay special attention to the conditions and rules applied.

3. GPO Settings:
- Verify that the GPO settings for the wireless network are correctly pushed to the test laptop. Sometimes, GPOs might not apply as expected, or there could be a small misconfiguration.

4. Trusted CA:
- You mentioned checking off your internal CA server as the Trusted CA. Ensure the laptop indeed has the correct CA certificate and it’s being recognized correctly.

Specific Things to Look At

EAP Settings:
- On the test laptop, go to the network properties and double-check the EAP settings. Ensure it's set to use “Smart Card or other certificate” and verify that the correct certificate is being selected.

ISE Logs:
- Take a look at the ISE logs to see what’s happening during the authentication process. The logs might give you a clue if there’s a certificate issue or if it’s falling back to username/password authentication for some reason.

Supplicant Configuration:
- Check the supplicant configuration on the laptop. Sometimes, settings can get mixed up or not fully applied, leading to fallback to password authentication.

Why Is This Happening?

There are a few potential reasons why this might be happening:

Mismatch in Certificate Settings:
- There could be a mismatch in how the certificates are configured or recognized between the laptop and ISE.

Policy Misconfiguration:
- A small misconfiguration in the policy set on ISE can lead to it defaulting to username/password prompts.

GPO Application Issue:
- The GPO might not have applied correctly, or there could be conflicting settings causing the issue.

Next Steps

1. Re-check the Configuration:
- Go through your ISE configuration and the test laptop’s network settings once more, comparing them closely with your working wired setup.

2. Test with Another Laptop:
- Try applying the settings to another test laptop to rule out any machine-specific issues.

3. Consult ISE Logs:
- Use the logs from ISE to get more insight into why the authentication is defaulting to username/password.

4. Engage Community/Support:
- Sometimes, an extra pair of eyes helps. Consider reaching out on forums or to Cisco support if you continue to face issues.

Hang in there, Matt! Troubleshooting these setups can be tricky, but with some patience and careful checking, you’ll get to the bottom of it.

Best of luck,
John

Matthew Martin
Level 5
Level 5

‎06-10-2024 01:19 PM

Hey All,

Sorry for the delayed response. Had to step away from this for a few days and work on another project that we have going on. Came back to this today, and I think I figured out the problem.

I don't know why it was done this way. It was done before I had any involvement on the Windows Admin side. Where each Domain joined PC is getting 2 certificates from our internal CA. One template appears to be created from the standard "Computer" template certificate found in the Windows CA, and the other one, if I remember correctly was setup by a consultant we hired to help us setup ISE many many years ago (*ISE 1.x).. Both certs are still being pushed out via GPO, and are being auto-renewed as well.

The default "Computer" certificate uses all the standard options you'd expect and is configured for Client and Server Auth. The other template that was created by the consultant is a Machine template configured for Client Auth only. It appears that this Cert was configured to not have a Subject Common-Name, which I noticed in the ISE logs and then went to check the Cert on the test laptop and it indeed did NOT have a Subject CN configured. What was configured was Subject Alternative Name "DNS Name=myComputer@mydomain.com". This appears to be the only field in this template that shows the PC Name configured in AD.

Found this in the Auth Details for the Test Laptop:

MatthewMartin_0-1718050494049.png

So I went into the Certificate Authentication Profile and changed the option to: Any Subject or Alternative Name Attributes in the Certificate.

Since both of those client certs I mentioned are signed by our Internal CA, and that is the CA server ticked in the Windows Wireless Profile config (*And Simple Certificate Selection is being used). I'm not sure how it decides which cert to present during Network Authentication. But, it appears that one was being selected.

After changing the Certificate Authentication Profile to any alternative name. Authentication started working correctly on this Wi-Fi network.

-Matt

0 Helpful
Customers Also Viewed These Support Documents