Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3814
Views
2
Helpful
9
Replies

EAP-TLS with ISE 3.1 fails

Go to solution
Geert Reijnders
Level 1
Level 1

‎03-15-2023 07:33 AM

We are setting up a wireless network with EAP-TLS. However, when I try to connect a W11 laptop to this network the connection fails. I see this message in ISE:

Event 5400 Authentication failed
Failure Reason 12507 EAP-TLS authentication failed
Resolution Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Similarly, verify that the certificate authority that signed the client's certificate is correctly installed in the Certificate Authorities page (Administration > System > Certificates > Certificate Authority Certificates). Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the authentication failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Root cause

EAP-TLS authentication failed.

 

AcsSessionID NLDC0101ISE01/460343116/28104895
OpenSSLErrorMessage SSL alert: code=0x22E=558 ; source=local ; type=fatal ; message="certificate unknown.ssl/statem/statem_srvr.c:3800 error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed [error=337100934 lib=20 func=380 reason=134]"
OpenSSLErrorStack 140097471612672:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed:ssl/statem/statem_srvr.c:3800:
   

We are using our internal PKI infrastructure. However, when I use the Microsoft Intune certificate store, it works fine. So I think there is something wrong with the certicate. But maybe I'm wrong. 

In our client certificate we use client authentication in the Enhanced Key usage. 

Does anyone has seen this before?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Geert Reijnders
Level 1
Level 1

‎04-30-2023 11:09 PM - edited ‎04-30-2023 11:10 PM

We did find the issue. The client certificate EKU was set to critical for Client authentication. After we changed it to  non-critical it worked.

You can't see if a key is set to critical or non-critical when you open the certificate in Windows. But with open SSL we compared the both certificates and saw the difference:

openssl x509 -in ep.cer -text -noout

X509v3 Extended Key Usage: critical
E-mail Protection, Microsoft Encrypted File System, TLS Web Client Authentication




View solution in original post

9 Replies 9

Go to solution
marce1000
VIP
VIP

‎03-15-2023 10:43 AM

 

 - FYI : https://community.cisco.com/t5/network-access-control/windows-11-machines-fail-to-complete-eap-tls-authentication-with/m-p/4747292#M579039

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Geert Reijnders
Level 1
Level 1

‎03-16-2023 01:18 AM

I know, but after deleting the reg keys, it still didn't work. These laptops are configurered via autopilot and Intune. I'm going to give it a try with a W10 build 22H2 devices.

Thanks

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Geert Reijnders

‎03-16-2023 04:53 AM

You need to run these commands as administrator and then restart the machine. After restart manually select the root and intermediate certificates to fix the issue.

Did you restart the machine and then manually select the root and intermediate certificates?

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Geert Reijnders

‎03-16-2023 04:53 AM

You need to run these commands as administrator and then restart the machine. After restart manually select the root and intermediate certificates to fix the issue.

Did you restart the machine and then manually select the root and intermediate certificates?

0 Helpful

Go to solution
Geert Reijnders
Level 1
Level 1

‎03-16-2023 05:30 AM

Yes, I ran these commands as administrator. However, not all keys could be deleted. 

0 Helpful

Go to solution
ajc
Level 7
Level 7

‎03-16-2023 10:58 PM - edited ‎03-16-2023 11:05 PM

Using MMC, check IF in your USER ACCOUNT FOLDER --- > TRUSTED ROOT CA and TRUSTED INTERMEDIATE CA folders you have respectively your internal PKI Trusted CA certs in there. It works for Intune because Microsoft Trusted CA's are installed by default on the USER OR COMPUTER ACCOUNT TRUSTED CA FOLDERS..We have our own PKI but we do not user USER ACCOUNT for EAP-TLS authentication, instead we use COMPUTER ACCOUNT because the PKI signs the cert for the computer using its serial number. (Since that you did not provide more information, I am assuming that you are not doing both machine + user authentication). You also need to check for the WIRELESS SSID profile how did you configure the authentication: "user authentication, computer authentication, user or computer authentication" (those are the 3 options). Depending on that, your computer will select the folder where your computer cert (signed by your own PKI) was installed. 

0 Helpful

Go to solution
Geert Reijnders
Level 1
Level 1
In response to ajc

‎03-17-2023 01:22 AM

Hi ajc,

Thanks for helping out. We are using machine authentication. The certificates are in the corresponding folders. the Wireless SSID is also configured for machine authentication.

The main difference between our own CA and intermediate certifcates and those of intune is that we don't explicit allow Client Authentication in Enhanced Key usage. However, that's what I've been told, we allow all enhanced keys in those certificates. 

0 Helpful

Go to solution
ajc
Level 7
Level 7
In response to Geert Reijnders

‎03-17-2023 07:23 AM - edited ‎03-17-2023 07:27 AM

Another detail, Microsoft changed the way EAP-TLS authenticates for Windows 11, before you only needed the certificates in the corresponding TRUSTED CA Folders for machine authentication and that worked fine. In our case, we assigned an entrust signed cert for EAP authentication on ISE and our EAP-TLS was failing with a similar error message as the one you got NO matter we had Entrust Root CA and Entrust L1K CA in the corresponding folders. We talked to Microsoft and they told us that the SSID Profile configured on the computers had to have CHECKED all the TRUSTED CA in the following section (see screenshot). On previous Windows versions you only needed to have those TRUSTED CA listed without checking specifically in the box. We deployed this new profile using GPO and it worked right away.

 

VALIDATE-WIN-CERTS.png

 

 

 

0 Helpful

Go to solution
Geert Reijnders
Level 1
Level 1

‎04-30-2023 11:09 PM - edited ‎04-30-2023 11:10 PM

We did find the issue. The client certificate EKU was set to critical for Client authentication. After we changed it to  non-critical it worked.

You can't see if a key is set to critical or non-critical when you open the certificate in Windows. But with open SSL we compared the both certificates and saw the difference:

openssl x509 -in ep.cer -text -noout

X509v3 Extended Key Usage: critical
E-mail Protection, Microsoft Encrypted File System, TLS Web Client Authentication




Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents