Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
0
Helpful
1
Replies

EAP TLS session resume with binary certificate comparison

Axel Maertens
Level 1
Level 1

‎11-28-2018 06:46 AM

Hi,

we have EAP TLS session resume enabled and want to do binary certificate comparison for AD clients. This leads to clients with invalid certificates beeing denied at first but beeing admited because Certificate Check is skipped on EAP session resume. It seems as if the Client Ticket is sent and accepted later on even if the first Authentication was unsuccessful.

 

And even when we disabled EAP TLS session resume we got the same behaviour - clients fail first and are beeing admitted on second attempt with ISE saying TLS session war successfully resumed and skipping certificate check.

 

Does this mean that EAP TLS session resume ist incompatible with binary comparison or can this be seen as a bug - meaning we need a TAC case?

 

 

 

 

0 Helpful
1 Reply 1

Axel Maertens
Level 1
Level 1

‎11-28-2018 07:01 AM

Correction: It did not help to disable Session resume in global EAP-TLS protocol optons (Adminstatrion -> Systems -> Settings -> Protocols -> EAP-TLS). Session resume was still performed!?

But disabling Session resume in Allowed Protocols was successful.

This means we can write a dedicated policy set for EAP TLS wit Allowed Protocol configured not to do session resume and get the expected behaviour. But this still seems strange having to do so?

0 Helpful
Customers Also Viewed These Support Documents