Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
0
Helpful
7
Replies

Cisco ISE EAP-TLS

AFAWZY
Level 1
Level 1

‎02-14-2024 08:41 AM

If i need to use EAP-TLS as user authentication method for my TEAP authentication.

I was wondering how the user authenticate with his unique certificate ? , the user type his credentials , but how his certificate goes to different devices ?

0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎02-14-2024 08:55 AM

Can you more elaborate 

Thanks 

MHM

0 Helpful

Aref Alsouqi
VIP
VIP

‎02-14-2024 08:57 AM

When we use EAP-TLS we don't type in any credentials as EAP-TLS will be using the machine or user certificate to authenticate. You mention TEAP authentication. TEAP authentication will allow EAP-Chaining natively on Windows without having to install any additional piece of software such as AnyConnect NAM.

When TEAP is in use, both the machine and the user authentications will be included in the same transaction. The configuration of each could vary, for instance, you can decide to do EAP-TLS for the machine authentication and EAP-PEAP (username and password) for the user. Or, you can use EAP-TLS for both of them. You configure those authentication methods in the endpoint NIC settings under the dot1x tab.

The certificate that will be presented by the endpoint during the authentication would be the one in the personal folder in the certificates containers in Windows, that would be the case for both the machine and the user, each will present its identity certificate that is hosted in the personal folder.

0 Helpful

AFAWZY
Level 1
Level 1
In response to Aref Alsouqi

‎02-14-2024 10:31 AM

Thank you @Aref Alsouqi for your explanation.

I tried only PEAP (MS-CHAPv2) and i'm facing issue with wireless network access, and after searching i found that new windows has a feature called ( credential guard ) which has conflict with MS-CHAP, so users can't connect to SSID. I'm not sure yet that this is the problem for my wireless but alot of people face it. That's why i need to go away from PEAP and use TLS.

So, about your words " the one in the personal folder in the certificates containers in Windows " . how different users can get the certificate used for the authentication in the personal folder of the same machine ?. i need to understand this flow if user called Aref and another one called fawzy trying to authenticate through the same machine ( the user authentication phase ) , how the supplicant will use different certificate to authenticate and how the pc can get these different certificates.

@MHM Cisco World  this can be my question with more explanation

0 Helpful

Rob Ingram
VIP
VIP

‎02-14-2024 09:40 AM

@AFAWZY its the Windows Group Policy Objects (GPO) that configures the device to use TEAP (with the machine and user certificates) for 802.1X authentication, a GPO would also configure certificate enrollment for the machine and users to automatically enrol for the certificates. When the user logs into a different device, they will not have a user certificate if they have never logged into that device before, its the user GPO settings that would send down the user certificate, which can then be used for 802.1X authentication.

0 Helpful

AFAWZY
Level 1
Level 1
In response to Rob Ingram

‎02-14-2024 10:46 AM

Thank you @Rob Ingram .

i need more explanation about the certificate automatic enrollment. and  what is the suitable GPO configuration for the TLS user authentication.

and how pc get the certificate of the different logged in users for the same pc ?

0 Helpful

Rob Ingram
VIP
VIP
In response to AFAWZY

‎02-14-2024 10:52 AM

@AFAWZY the GPO settings configures the computer to auto-enroll for a machine certificate, this is stored in the computer certificate store. For each user that logs into a computer they have their own unique user certificate store, when the GPO is configured they receive a user certificate which is stored in their own unique user certificate store. The user certificates are unique per user, so if another user logs into the computer (if configured) they will receive a different user certificate, which is stored in their unique user certificate store.

Examples:

https://www.packetswitch.co.uk/dot1x-certs/

https://integratingit.wordpress.com/2019/07/13/configuring-windows-gpo-for-802-1x-authentication/

 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to AFAWZY

‎02-14-2024 01:38 PM

This is a tricky use case due to the order of operations that Windows has for initiating the 802.1x process before the User GPO kicks in. See this discussion for more info on that process.

https://community.cisco.com/t5/network-access-control/ise-deployment-eap-tls-machine-or-user-certificates-native/td-p/4094444

One option to help with this catch-22 situation using TEAP is discussed here:

https://community.cisco.com/t5/network-access-control/eap-teap-first-time-user-login-chicken-amp-egg-scenario/td-p/4475351

 

0 Helpful
Customers Also Viewed These Support Documents