Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
857
Views
0
Helpful
3
Replies

Definitive answer on EAP cert versus Windows AD PKI Machine certs?

Go to solution
steeda
Level 1
Level 1

‎10-24-2023 06:17 AM - edited ‎10-24-2023 06:21 AM

It's written in many places and posts that the EAP cert in ISE must be provided by the same PKI as the Windows machine certs. Never definitive, such as in the admin guide - but in forum posts. ISE is currently 3.2 p3.

I have a Godaddy EAP Cert and it's pushed to the AD clients via GPO. The whole chain. ISE has the AD PKI Root and Sub certs installed in the Trusted Certificates section. The AD clients ( wireless laptops ) have AD PKI machine certs installed and use EAP-TLS inner tunnel and PEAP outer tunnel via user/pass. This environment has AD clients, BYOD laptops and phones, everything, and I want to stick with the Public cert...

The AD clients can't connect. Windows Events:

Reason: Explicit Eap failure received
Error: 0x40420110

and

Reason: Explicit Eap failure received
Error: 0x40420110
EAP Reason: 0x40420110
EAP Root cause String: Network authentication failed due to a problem with the user account

If I switch the EAP cert to AD PKI, they connect. SO - is this situation truly not supported or am I missing something?

ISE Logs:

 

Event 5440 Endpoint abandoned EAP session and started new
Failure Reason 5440 Endpoint abandoned EAP session and started new
Resolution Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause

Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎10-24-2023 06:35 AM

AD client certs (user/device) MUST be authenticated against the AD Root Cert.  Since a PSN can only have a single certificate for EAP Authentications, the only way to achieve what you are detailing would be to have one PSN hosting the AD cert for EAP Authentication and another PSN hosting the GoDaddy EAP cert.  Then you get to determine how each client type uses the PSN with the cert for them.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎10-24-2023 06:35 AM

AD client certs (user/device) MUST be authenticated against the AD Root Cert.  Since a PSN can only have a single certificate for EAP Authentications, the only way to achieve what you are detailing would be to have one PSN hosting the AD cert for EAP Authentication and another PSN hosting the GoDaddy EAP cert.  Then you get to determine how each client type uses the PSN with the cert for them.

0 Helpful

Go to solution
steeda
Level 1
Level 1
In response to Charlie Moreton

‎10-24-2023 10:14 PM

Thanks for the definitive reply. That's unfortunate but I will deal with it. I wish there was 'one cert to rule them all' in a 2 node Primary/Standby environment but I guess there isn't. 

This seems to be a major oversight in functionality. I'll talk to our account team. ( Partner ).

0 Helpful

Go to solution
jesse.garcia11
Level 1
Level 1
In response to steeda

‎03-18-2024 09:07 AM

HI, I was wondering what template you use for the wireless client devices certificates? I am getting the same error from your initial post, but am using AD PKI. I have an offline Root CA and a Intermediate Issuing CA. I know this has worked in the past, but we started from scratch again and now the settings for ISE dont work. I have also tried an NPS server but the client seems like it never hits either Radius server. I checked logs in ISE and NPS and nothing comes up./

0 Helpful
Customers Also Viewed These Support Documents