cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
595
Views
0
Helpful
3
Replies

ISE 2.1 - Ise default patch to search a machine/user certificate

redes_noc
Level 1
Level 1

Dear all,

 

I have a ISE that uses authentication via certificate (AD) to autheticate the machines.
The problem is that we have some developers that use other "local certificates" and they are in the same folder as the ISE looks for the certificate and sometimes the machine stops to authenticate for that reason.

Question: Is it possible to do something, like changing the default folder that ISE looks for the certificate on the machine? Or any other way to have more than one certificate in "Certificates -> Personal" without one error in ISE?

 

 

Thanks!

3 Replies 3

Arne Bier
VIP
VIP

ISE doesn't search the certificate "folders" on the machine - it's determined by the client.  During EAP-TLS the supplicant (e.g. your Windows PC) will identify itself to ISE by presenting a X.509 certificate that is configured in the Windows supplicant config.  You can narrow this down by telling WIndows exactly which cert and from which store (machine/personal) you want to use.

Ok, but then I have two certificates inside of "Certificates --> personal" the ISE sometimes accept the machine to entry in network and sometimes no. How can I resolve that?

 

For a limitation, the developer team need create some certificates inside this "certificate folder" in windows machine:

"Certificates --> personal"

And when they do this, ISE are confusing.

 

Could you help me? @Arne Bier

I see.  This is something only the supplicant can influence.

Is there any attribute that uniquely distinguishes the two certs? e.g. different issuing CA, or some EKU values that are different.

If you're using Windows 7/8/10 then go to Network Authentication Method (Microsoft: Smart card or other certificate", click Settings, and you can uncheck the "Use simple certificate selection" checkbox in the 802.1x supplicant config.  And then click on Advanced button and select the Certificate Issuer cert and intermediate cert, and then any EKU (Extended Key Usage) attributes.  If you're lucky you might be able to make the selection such that WIndows always selects the correct one.