Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1311
Views
0
Helpful
5
Replies

CERTIFICATE ERROR ON WINDOWS 8.1 PC CONCERNING EAP AUTH

Equipe Telecommunications
Level 1
Level 1

‎01-05-2018 01:14 PM

ISE node: 2 node deployment

Version: 2.2 patch3

Certificate (Entrust):  Here the certificate view on ISE system certificat item

It's a wilcard SAN certificate:

exemple

CN: exemple.domain.com

SAN:

exemple.domain.com (DNS)

*.domain.com (DNS)

*.anotherdomain.com (DNS)

The Sponsor portal, Guest POrtal, admin Portal use the certificate without any issue (SSL/TLS)

EAP auth. on Android endpoints is working ok.

Windows 8.1 PCs are not trusting the certificate.

WHY ? HELP

Another détails:

Windows PC error from client side

The error detail from the Windows log store (Eap host)

I've verified the points of the follow link:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200295-Install-a-3rd-party-CA-certificate-in-IS.html#anc1

 

1- Verify ISE is passing the full certificate chain during the SSL handshake process. ok

2-Open each certificate (server, intermediate and root) and verify chain of trust by matching the Subject Key Identifier (SKI) of each certificate to the Authority Key Identifier (AKI) of the next certificate in the chain. OK

3-the next step is to verify that the Root and(or) Intermediate certificates are in the client Local Trust Store. OK

0 Helpful
5 Replies 5

hslai
Cisco Employee
Cisco Employee

‎01-05-2018 03:42 PM

Is this PEAP/MSCHAPv2? Or, is it EAP-TLS? Is the connection failure after clicking on "Continue"? Have you tried other Windows client O/S, such as Windows 7 or Windows 10?

Sorry, I can't read French much, so can't tell what the windows errors are.

0 Helpful

Equipe Telecommunications
Level 1
Level 1
In response to hslai

‎01-08-2018 06:00 AM

It's PEAP/MSCHAPv2. After clicking on continue the connexion works ok.

The message in french is the answer of the Windows 802.1x supplicant when It's not able to trust the certificate following the notification option configured on supplicant. Here below, the default option on Windows 8.1 Under (Notifications avant la connexion: Informer l'utilisateur si le nom du server.....). In brief, the supplicant has to notify the client to trust or not the connexion in case of server certificate error. This is a confirmation of my certificate issue. If I take off the server identity validation item on supplicant, the connexion takes place without error.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Equipe Telecommunications

‎01-08-2018 10:00 AM

Therefore, it is expected. If you want to validate the server identity, then please ensure the root CA certificate is in the trusted root CA store on the client, showing up as one of the authorities in the properties screen, and selected.

The screenshot from a Windows-7 client below shows "root-CA" selected, as that is the one used to issue the ISE certificates in our lab.

Screen Shot 2018-01-08 at 9.58.52 AM.png

0 Helpful

ognyan.totev
Level 5
Level 5

‎01-07-2018 11:25 PM

It is a client machine i think this is normal . How a create a certificate profile ?

This is simple example.

0 Helpful

Equipe Telecommunications
Level 1
Level 1
In response to ognyan.totev

‎01-08-2018 06:02 AM

I'm using a user authentication PEAP/MSCHAPv2 (non machine authentication).

0 Helpful
Customers Also Viewed These Support Documents