05-19-2020 01:29 AM - edited 05-19-2020 01:37 AM
Hi,
I am trying dual SSID BYOD for eduroam and I have run in to some issues. We have one usecase that our internal laptops should be able to use this SSID. However the computers already have a user certificate on them (for Exchange) that has the same CN (firstname.lastname@email.com) as the certificate that ISE provides.
I have noticed that Windows choosed the wrong certificate for the EAP-TLS authentication.
Is there a way to choose in the settings that the ISE push to the client what certificate should be used?
Or can we modify the CN in the cert that ISE pushes to the client?
Regards
Philip
05-19-2020 03:26 AM
05-20-2020 06:12 AM
Hi,
I have configured BYOD portal according to the guide and the client gets certificate from the internal ISE CA. But after the onboarding process the client can't connect to the SSID.
The ISE log say "12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain".
In the client certificate store I see two certificates. Both with the same CN, both are for "Client authentication". One is issued from ISE, the other from Skype. If I remove the certificate from Skype then the 802.1x authentication works. But the Skype cert is automatcaly installed on the client everytime we start Skype, and as soon as it is back the authentication will stops working (next time the client tries to connect to the SSID.
I have checked the settings in the profile that gets downloaded to the client, but I can not see anywhere that I can force what certificate to be used.
05-20-2020 06:23 PM
When you have more than one user certificate in the client's store that both have the required attributes for 802.1x authentication, I believe Windows favours the oldest certificate to present for 802.1x when 'simple certificate selection' is enabled. Windows 10 added the ability to use certificate matching conditions to define which certificate will be presented for 802.1x, but the ISE Native Supplicant Provisioning does not have the ability to control this.
You would either need to educate your BYOD users on how to configure the certificate matching, or have Windows prompt them for the certificate to use for 802.1x.
For the latter, you could try disabling the 'Do not prompt user to authorize new servers..' option in your NSP profile in ISE to see if the user is then prompted for the certificate to use.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide