11-21-2017 04:02 PM
Ran into a scenario where users are being prompted in Microsoft to select certificate for authentication (user/workstation). How can this behavior be prevented from happening? Tried implementing authz policies matching group membership (user/computer) and also the certificate template (user/computer) but failed on the template matching. Tried both with the name and OID seen in the cert
Solved! Go to Solution.
11-21-2017 04:52 PM
this is a Windows supplicant configuration issue. If the Windows Supplicant sees more than one client auth then it won't know which one to present to the AAA, hence, the user is prompted.
I have not looked into this for a while - bit rusty on the subject. If you are doing computer auth, then configure your supplicant accordingly (and vice-versa for user auth). This constrains the supplicant to look in that specific part of the cert store only. However if the cert store contains multiple certs, then you might still get the prompts. In the past I used to delete any certs that were not required and that got rid of that issue. There might be a smarter solution
11-21-2017 04:52 PM
this is a Windows supplicant configuration issue. If the Windows Supplicant sees more than one client auth then it won't know which one to present to the AAA, hence, the user is prompted.
I have not looked into this for a while - bit rusty on the subject. If you are doing computer auth, then configure your supplicant accordingly (and vice-versa for user auth). This constrains the supplicant to look in that specific part of the cert store only. However if the cert store contains multiple certs, then you might still get the prompts. In the past I used to delete any certs that were not required and that got rid of that issue. There might be a smarter solution
11-22-2017 05:34 AM
Machines logged out, identity should be authenticated based on computer certificate
User logs in, identity should be authenticated based on the user certificate
Can't delete multiple certificates they're in place for a reason. When machines are idle off hours they'd be blocked from network resources.
Agree on the supplicant issue but unsure how to address. The dot1x wired policy in GPO
computer settings - policies - windows settings - security settings - wired network 802.3 policies
802.1x enabled
smart card or certificate authentication method
authentication mode: user or computer authentication
I'll test after setting "user authentication" and see what happens to the computer when logged out
11-22-2017 06:13 PM
Unfortunately, I don't believe there is a way to resolve this via GPO in Windows 7 because the supplicant itself does not support any type of certificate matching.
The Windows 10 supplicant does now support some capability around certificate matching, so you can specify which certificate to use for 802.1x based upon the Root/Intermediate CA that signed the user cert.
For Windows 7, you would need to look into using a 3rd party supplicant that can do the cert matching for 802.1x. Some customers have evaluated the use of AnyConnect NAM to do this.
11-22-2017 08:06 PM
From GPO wired dot1x settings, you can select certificate then user & computer, user or computer certificate for authentication. Unfortunately selecting user would block the computer when logged out.
How about the first part of the original question. Tried using the "certificate template' attribute in the policy but failed.. If the name of the template was "ISE User" in AD, I tried to apply that but failed. Also noticed the OID was included in the certificate itself, also tried that but failed. Seems to be a legitimate way to differentiate between certificate types but couldn't get it to work.
11-24-2017 04:56 PM
As Arne said, your issue is not related to certificate template matching.
If you are using MS Template name extension v2 (OID 1.3.6.1.4.1.311.21.7) instead of MS Template name extension v1 (OID 1.3.6.1.4.1.311.20.2), then that is addressed by CSCvc05016 in ISE 2.2 FCS and ISE 2.0 Patch 5.
11-29-2017 04:18 PM
Arne was able to troubleshoot this further. Indeed a supplicant issue, very frustrating unsure where to diagnose in windows.
Client has 2 valid certificates in the store that could be used for client authentication. Supplicant is configured to trust the correct CA/SUB-CA, simple certificate selection is enabled, the correct issuer's are selected only allowing the CA/SUB-CA used for identity. Still, some machines prompt the user to select which certificate they would like to use. Really banging my head against the desk on this one. Most windows 10 workstation's work as expected, most windows 7 are prompting. Confirmed the wired dot1x settings are being pushed from GPO properly. Going to call Microsoft tomorrow for assistance debugging in the OS. Hoping to find a registry key that can be edited or isn't being modified properly.
Edit - the 2nd certificate cannot be deleted as a workaround
11-29-2017 04:30 PM
I think the problem is that 'simple certificate selection' is not as robust of an option as allowing certificate matching criteria to be specified (as in Windows 10 and some 3rd party supplicants).
I found the following TechNet article that discusses how 'simple certificate selection' works:
It would be interesting to see if MS can provide additional options for the supplicant certificate selection in Win7, so please update this post after your call with them if you don't mind.
05-07-2018 08:07 AM
This wound up being fixed in a hotfix for windows 7
KB Article Number(s): 2710995
Language: All (Global)
Platform: x64
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide