Hello,
I'm having struggles with Windows 10 machines authentication process which is based on client certificates.
Before I will elaborate on the errors I observe, I'll share the configuration of components along the way.
Windows 10 configuration:
- Holds the Root CA certificates and a personal computer (client) certificate signed by the CA (we are using a custom template)
- WiredAutoConfig service is auto-running
- NIC is configured to authenticate using 802.1x, smart card or other certificate as network authentication method, use a certificate on this computer
Switch configuration:
aaa new-model
aaa group server radius GRP-XXX-ISE
server name ISE01
server name ISE02
aaa authentication dot1x default group GRP-XXX-ISE
aaa authorization network default group GRP-XXX-ISE
aaa accounting dot1x default group GRP-XXX-ISE
aaa server radius dynmaic-author
client X.X.X.X server-key 7 XXX
client Y.Y.Y.Y server-key 7 YYY
dot1x system-auth-control
interface GigabitEthernet1/0/1
authentication control-direction in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
interface GigabitEthernet1/0/2
device-tracking attach-policy IPDT_POLICY
authentication control-direction in
authentication event server dead action authorize XXX
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
radius-server directed-request
radius server ISE01
address ipv4 X.X.X.X auth-port 9812 acct-port 9813
key 7 XXX
radius server ISE02
address ipv4 Y.Y.Y.Y auth-port 9812 acct-port 9813
key 7 YYY
Cisco ISE configuration:
- Root/Sub CA certificates
- ISE signed certificates (for EAP)
- NAD (user switch)
- CAP (certificate authentication profile) pointing to subject common name and AD as identity store
- EAP-TLS authentication policy set
- Certificate parameters and AD membership authorization policy
I get the following errors on each device type:
Windows 10 - Authentication failed
Switch:
- %DOT1X-5-FAIL Authentication failed for cliient with reason (No Response from Client) on Interface Gi1/0/1
%SESSION_MGR-5-FAIL: Authorization failed or unapplied for client on Interface Gi1/0/1. Failure reason: Authc fail. Authc failure reason: Cred Fail.
%DOT1X-5-FAIL Authentication failed for cliient with reason (Cred Fail) on Interface Gi1/0/2
%SESSION_MGR-5-FAIL: Authorization failed or unapplied for client on Interface Gi1/0/2. Failure reason: Authc fail. Authc failure reason: Cred Fail.
Cisco ISE:
22017 Selected Identity Source is DenyAccess
12831 Unable to download CRL22056 Subject
22044 Identity policy result is configured for certificate based authentication methods but received password based
22056 Subject not found in the applicable identity store(s)
