cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
272
Views
1
Helpful
2
Replies

EAP-TLS Computer Domain Failure

Jalmeida
Level 1
Level 1

Sirs,
I had doubts about a problem.
The client does not have a GPO for Wireless, which is why we use the machine's certificate to validate access.
We create an identity using the certificate and configure the policy set to check TLS first; Then the User Computer Group and finally the Subject Common Name with the machine's initials.

However, this rule did not match and did not generate any HIT.

I went to check the machine certificates and the ISE (Trust/Root) certificate is a new certificate and the machine certificate is an old certificate.

Is there any documentation that helps me:
First ensure that the source of the problem is the certificates and that is why the rule did not match;
Is there any documentation that instructs my client to ask for support from the AD (active directory) team, so that they can apply the same certificate that ISE has on the machines?

For testing, if I load the ISE certificate (Root that I receive from AD) on the machine and try to connect, will it work?

That way I would be 100% sure that the problem would be related to the certificate.

Regards,

 

2 Replies 2

Arne Bier
VIP
VIP

With EAP-TLS there are certificate checks done by

Client - the client checks the certificate of the RADIUS server - this means the client must have the Root CA, and any other CA certs that signed the RADIUS server cert (in ISE's case, this is the EAP certificate) installed in its Trust Store

Server -  when the client connects, the server will also check the client's cert. The server must have the Root CA and any other CA certs that signed the client's cert in the server's Cert Trust Store.

If the PKI is the same for client and for server, then it's simple.  But in some cases the client certs may come from different PKI (e.g. company acquisition) and then the ISE server must add those to its Trust Store. Of course, the clients must also have the ISE CA cert chain installed. In Windows you can tell clients to not perform that check - do not do that! It's useful in a quick lab test, but not for production.

If you want to test certificate related stuff, but you don't have a client (e.g. no access to Windows PC) then you can use a linux CLI tool called wpa_supplicant. This tool creates the necessary RADIUS traffic to simulate any EAP method, including EAP-TLS. You give it the client cert and private key and to ISE, it will look like a wireless 802.1X authentication.

Perfect! Thank you very much for your coherence and clarity in details.
The situation is that the client does not actually have the ISE certificate. And as there are several machines, the client will generate new root and trusted certificates in ISE to facilitate the implementation of TLS.

Thank you very much!