cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
475
Views
2
Helpful
6
Replies

EAP-TLS - Client still not trust ISE PSN certificate

beejrteek
Beginner
Beginner

hello Guys,

I want to ask you if you meet similar problem to my. I have implemented EAP-TLS for wireless clients. Simple topology:

Client -> WLC -> ISE - implemented 802.1x EAP-TLS

My problem is that when client click connect to SSID, he always receive warning that certificate which is sent by PSN is not trusted, but it is not possible. I have all certificate chain in my Trusted Store Certificate (Root, SubCA, Intermediate CA) in client machine.

I also tried to add PSN certificate to Trusted Store but it not help.

PSN certificate has Client and Server Authentication atrribute in Enhance Key Usage

Also in SAN field we have DNS and IP entries.

I don't have any idea why client still not trust PSN certificate. Any suggestion ? 

1 Accepted Solution

Accepted Solutions

Microsoft implemented security changes on Windows 10 and 11 where you MUST checked the TRUSTED ROOT CERTIFICATE CA's in your wireless profile (manually created of distributed via GPO) and not just check the "validate server certificate" box. Without that, no matter you have the Trusted CA Root listed by default in your computer the certificate warning would appear. I had a conversation with a Microsoft support tech about it because our Win 11 laptops were giving us those certificate warnings. See attached pictures about it.

 

 

CERTIFICATE TRUSTED CA ROOT.png

View solution in original post

6 Replies 6

This is 100% a client problem.  What are the clients?  How are you trusting these certificates on the client?  Who issues the ISE EAP certificate?  Internal PKI our public.

Arne Bier
VIP
VIP

Is this an Apple iOS device, or Windows?  I could be wrong, but with Apple iOS, you will always get the cert warning even if you have manually added the ISE CA chain into the device (through something like Apple Configurator). I have not done this in a while, but I also believe that if Apple devices are MDM managed, then this phenomenon doesn't happen.

With Windows clients this is never an issue, if the supplicant is configured correctly - you have a lot of control and visibility over this, as compared to Apple. 

beejrteek
Beginner
Beginner

Thanks for your reply.

Problem solved. We have Windows machine, and we don't know why but supplicant wifi (build-in) can't verify certiface even if it has all root CA in Trusted Store.

We solved this problem by creating WLAN Profile on GPO and set by mark which certificate need be trusted. 

After pushing policy to PC, we not observe aby info that client can't verify PSN cert

We assume that native supplicant has a problem to find right CA in Trusted Store

Microsoft implemented security changes on Windows 10 and 11 where you MUST checked the TRUSTED ROOT CERTIFICATE CA's in your wireless profile (manually created of distributed via GPO) and not just check the "validate server certificate" box. Without that, no matter you have the Trusted CA Root listed by default in your computer the certificate warning would appear. I had a conversation with a Microsoft support tech about it because our Win 11 laptops were giving us those certificate warnings. See attached pictures about it.

 

 

CERTIFICATE TRUSTED CA ROOT.png

ajc - thanks for your explanation! One more question: you said "I had a conversation with a Microsoft support tech" - when you spoke with Microsoft ? And what they said ? 

BTW, we had a SIMILAR issue with our MDM managed IPADs where we HAD to add the intermediate trusted CA to the profile used for EAP-TLS, otherwise we got a certificate warning no matter we had the ROOT Trusted CA in those IPADs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: