Solved: EAP-TLS - Issue with user certificates (Windows 2016 CA)

JohnRound · ‎10-01-2018

I have built a Windows CA to issue computer and user certificates, so that they can then connect to a wireless network set up in ISE (Network Access EAPAuthentication EQUALS EAP-TLS)

The computer receives a certificate via Group Policy auto enrolment fine as we have to wire it up to join it to the domain, install the root certificate etc. anyway however there is an issue with the user in that they can log in as they have WiFi access during the login prompt (due to the computer certificate present) but then lose the network after login before they receive a user certificate via auto enrolment so that they can successfully authenticate to the network. If I try the same process with a wire attached everything is fine, as soon as they log in they receive a certificate so the CA is working correctly.

I then had another idea in that I deployed two wireless profiles via Group Policy to the laptop so if it failed to join the EAP-TLS SSID it would join a EAP-MSCHAPv2 SSID instead and hopefully the user could receive the certificate that way, but sadly that doesn't work either (It seems Windows attempts to do the user certificate part at some point between login and arriving at the desktop which it can't do without the network!)

Hopefully this all makes sense, what I'm after really is any advice from anyone who has got a successful EAP-TLS set up running with ISE and Windows clients!

howon · ‎10-17-2018

If using native supplicant, it depends on the interface. For wired interface each interface can be setup with user specific EAP type. If you have two ethernet interface, you can setup one interface to do EAP-TLS while other interface is doing PEAP-MSChapv2. For wireless you can setup different EAP type per SSID. Like mentioned earlier, AnyConnect NAM allows you to mix different EAP type on a single connection.

View solution in original post

Aravind Ravichandran · ‎10-01-2018

Hi John,

Please compare the supplicant setting for wired and wireless, in network adapter->Authentication->Additional settings. Check under specify authentication method, whether it is only computer authentication for wired settings and it is user or computer authentication for wireless settings.

Also please share the radius livelog of machine & user authentication and its policy set.

-Aravind

paul · ‎10-01-2018

This is a known issue when you try to do computer and user certs. The first time user login to a machine can be a challenge. In you testing you should see:

When the first time user logs in, they get disconnected from wireless, but autoenrollment of the user cert still may complete. If they try to reconnect they will get on.
I have setup a second GPO SSID definition to the same SSID but with PEAP computer auth as a fall back in case certs don't work. I have seen that work in my setups.

This is a first time login issue. I have had some customers say the user needs to login for the first time on wired or modify the supplicant single sign on timers to try to help with this. This has had varying success.

paul · ‎10-01-2018

The other things I always as customers in this case is "Do you have defined user based authentication requirements?", i.e. what is the reason you are doing user authentication in the first place. If you are just trying to answer the question "Is this a corporate asset?", then PEAP computer or EAP-TLS do that and keeps the setup simple.

umahar · ‎10-01-2018

Are you using User authentication or Machine Authentication ?

Or "User or Machine Authentication" ?

paul · ‎10-01-2018

If you are just trying to answer the question "Is this a corporate asset?" then computer authentication is all you need. If you have user use cases then you would need to do Computer or User and deal with the first time user login issue.

JohnRound · ‎10-17-2018

We have decided just to go for the computer certificates after further thoughts, however how would I set up my group policy and ISE in such a way that the computer is authenticated via EAP-TLS but then a user is authenticated to stay on the wireless through AD/MSCHAPv2 authentication if that makes sense...or isn't that possible?

As with the certificate we know the device is a corporate asset however if a rogue user then happens to access a corporate asset all they would need to know is ANY AD login rather than us being able to have AD groups containing specific users having wireless access

Aravind Ravichandran · ‎10-17-2018

Hi John,

You can use machine authentication by Certificate & User authentication by domain login, that is possible only in the case when you use Cisco Anyconnect NAM module for authentication.

In windows native supplicant, both computer & user authentication need to be authenticated either by certificate(EAP-TLS) or domain login(PEAP)

Thanks,

Aravind

-Aravind

howon · ‎10-17-2018

If using native supplicant, it depends on the interface. For wired interface each interface can be setup with user specific EAP type. If you have two ethernet interface, you can setup one interface to do EAP-TLS while other interface is doing PEAP-MSChapv2. For wireless you can setup different EAP type per SSID. Like mentioned earlier, AnyConnect NAM allows you to mix different EAP type on a single connection.