Hi,
I've been working on a setting up an EAP-TLS wireless auth in Cisco ISE 3.2 for mix of domain joined and Autopilot machines.
At first I focused on machine authentication...I know it's not the easiest and not a best practice to set this up for AAD joined devices.
ISE is a lab setup (single node with all personas), but it's integrated with AD, its cert (used for Admin, EAP, Portal etc.) is signed by our Intermediate CA.
For domain joined laptop (W10) with an old NPS certificate for Client Auth. EAP-TLS authentication works like charm.
But Autopilot machine could not authenticate to the same SSID.
For Autopilot I've asked the guys managing our PKI/Intune to follow the guides and they've configured the NDES/Azure App Proxy, Intune Connector, configured Cert. Template and deployed SCEP cert. via Intune profile to test machines.
Cert looks good, at first sight...I tried to be changing stuff in it, making sure the config match the certificate template, but no difference in wireless authentication.
Also Root and Intermediate certs have been pushed to the Autopilot client with a help of Intune.
Whatever ISE policy and whatever CAP I've tried the client could not pass the Authentication phase.
I'm getting a error:
5400 Authentication failed
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
Now, it's hard to vouch for the certificate template config...basic checks not revealed any discrepancies from the guide, but I can't vouch for it.
I'm trying to rule out the the issue of a client failing to trust the ISE EAP cert.
My thinking was, that if the same cert is being used for Admin, Web Portal and EAP, I can validate the trust by opening WE GUI of ISE on the test Autopilot machine - this reveals no errors, machine trust the ISE Gui webpage and cert assigned.
Question 1. Is this a proof, that machine should also trust ISE EAP certificate?
From the other hand, I was trying to test with the same SSID, also supporting EAP-PEAP with MsChapv2, as in this case client should also trust ISE EAP cert.
And when I do not pre-configure Wireless Profile on Windows, but just try to connect, I'm being prompted for Username and password. When I provided valid AD creds, I got a certificate warning:
Question 2: Does that warning proves, that client does not trust ISE certificate?
Because when I do pre-create a profile (still for PEAP with Mschapv2) and select Root CA, that provide trust to ISE, it allows me to connect without any certificate warning.
I hope you guys could point me out to some direction, as I'm quite fed up with this Autopilot/SCEP authentication
Accepted Solutions
Yes. We're using internal PKI SubCA, which is issuing client authentication certs. via SCEP, with the help of NDES/Intune Certificate Connector and Azure App Proxy.
I've just triple checked, and looks like SubCA which has issued the client SCEP cert is in ISE Trusted certificates.
Below the certificate details from ISE:
SubCA:
Root CA, that issued SubCA is also in the same Trusted Certificate store:
Root CA:
ISE System EAP cert:
Machine certificate, issued by SubCA.
Root CA cert under Trusted Root Certification Authorities folder:
SubCA in the Intermediate Certification Authorities folder:
Now, when I preconfigure this W10 machine to connect to SSID with EAP-TLS below settings:
I'm getting "Can't connect to this network" info on W10, and in ISE it looks like this:
If it's more helpful with a copy text report, rather than screenshots, please let me know and I can send you over PM.
Hello guys.
Think I found the problem.
It's TLS 1.2 issue between Windows and Cisco ISE.
It's not clear to me yet, if it's a specifically TPM related issue - described here and here , or a Windows/ISE TLS1.2 issue described here , where Microsoft is blaming Radius vendor.
I only have 2 test machines and got some strange results while applying workarounds. In any case I got it to work finally.
I'm going to find some additional machines for testing and share the results.
But I wanted to have an clear answer from anyone here, to one of my initial questions:
Is below warning proving, that there's a certificate trust issue between Windows client and ISE radius server?
Or not necessarily?
I am aware, that I can workaround this by pre-configuring WLAN on Windows, but I'm just curious why I'm seeing this warning in some specific test cases, and not in others.
