Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
5
Replies

Cisco ISE EAP-TLS Client Authenticate Cert Selection

Chris Terry
Level 1
Level 1

‎08-26-2024 02:58 PM

We're using EAP-TLS for client authentication in Cisco ISE.

We're using Secure Client with the NAM module on our Windows clients now. We would like to move away from using Secure Client because we are only using the NAM module and nothing else. It doesn't seem cost effective to only be using Secure Client for the NAM module.

That being said there are rare cases in which a client has multiple certificates designated for client authentication and all signed by the same CA. It seems random in which certificate Windows choose to authenticate against ISE when using the native Windows supplicant. Is there any options/settings/criteria that can be set on the Windows side or on the ISE side to specify which certificate is used during the EAP-TLS authentication? I know there's options to choose the intermediate/root CA, but that doesn't help since there are multiple certs signed by the same CA. In Secure Client it does give an option for certificate matching criteria which helps choose the right cert, but I'm hoping there's something similar that can be done without using Secure Client.

Any thoughts?

0 Helpful
5 Replies 5

ccieexpert
Spotlight
Spotlight

‎08-26-2024 03:32 PM

If you go to advanced in dot1x setting on the adapter for the certificate auth, you can select EKU and specific CA/SUBCA.. if you add a extra EKU besides client auth, you could differentiate that way.

Other than, you can also disabled certs for specific purposes.. see screenshots.. you can disable a client auth from a certificate by going to properties..

 

ccieexpert_0-1724711308282.png

 

0 Helpful

Chris Terry
Level 1
Level 1
In response to ccieexpert

‎08-27-2024 12:11 PM

I did see those options. It's just the EKU is the same, client authentication, for all the certs. All those certs are also signed by the same CA. I was hoping Windows could differentiate between the certs by using something like the certificate template information or or even part of the SAN. 

0 Helpful

ccieexpert
Spotlight
Spotlight
In response to Chris Terry

‎08-27-2024 12:37 PM

you can always add a cert for dot1x with a extra EKU and match it that way..

0 Helpful

ccieexpert
Spotlight
Spotlight

‎08-26-2024 03:50 PM

ccieexpert_0-1724712589623.png

 

0 Helpful

ammahend
VIP
VIP

‎08-26-2024 07:49 PM

windows  simple certificate selection is recommended setting and is already checked, if you have multiple certs by same CA, Windows might choose the most recently issued certificate or the one with the latest expiration date

-hope this helps-
0 Helpful
Customers Also Viewed These Support Documents