cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2469
Views
31
Helpful
8
Replies

ISE 3.0 Computer Certificate

Leonardo Santana
Spotlight
Spotlight

Hi,

There is a way to confirm which certificate the computer is using to authenticate with Cisco ISE?

I asking these because in this specific customer they have one certificate for SCCM and other for dot1x from the same CA, and i want to make sure that they are using the dot1x.

Enviroment:

2x Cisco ISE VMs 3.1.0.518 Patch4

Supplicant: Windows Native

 

Regards
Leonardo Santana

*** Rate All Helpful Responses***
1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

The most conclusive way is to run an ISE Endpoint Debug on the MAC address of the endpoint and then perform an authentication. The Endpoint Debug contains the client certificate and you can download it and open it to see the details.

I have yet to find the steps to tell the Windows native supplicant which Windows certificate I want to use for Certificate Authentication. In my experience, if there is more than one User cert installed, then Windows tends to start from the top of the list.

View solution in original post

8 Replies 8

Thanks @balaji.bandi !!!!!!!!

Regards
Leonardo Santana

*** Rate All Helpful Responses***

Arne Bier
VIP
VIP

The most conclusive way is to run an ISE Endpoint Debug on the MAC address of the endpoint and then perform an authentication. The Endpoint Debug contains the client certificate and you can download it and open it to see the details.

I have yet to find the steps to tell the Windows native supplicant which Windows certificate I want to use for Certificate Authentication. In my experience, if there is more than one User cert installed, then Windows tends to start from the top of the list.

@Arne Bier is correct about the order being important. Although it is not well documented by MS, when the 'use smart certificate selection' option is enabled, part of the criteria for that selection is the age of the certificate. If the client has multiple computer and/or user certificates in their Personal store (and all certificates meet the requirements for use by EAP-TLS), the most recently enrolled certificate will be presented by the supplicant.

The Windows 10 supplicant does have a tab for Advanced options that can be used to define matching conditions for the certificate that should be presented for 802.1x, but if the SCCM and client certificates have the same values (Root CA, Issuing CA, EKUs, etc), this may not help. You would have to compare the certificates to see if there are matching conditions that will work for this selection. If not, you would likely need to consider making changes to your PKI architecture and/or the certificate templates to accommodate these MS limitations.

Screenshot 2022-11-15 at 10.24.18 am.png

 

Thanks @Greg Gibbs !!!!!

Regards
Leonardo Santana

*** Rate All Helpful Responses***

@Greg Gibbs While your answer sounds great, we have anecdotal evidence (no packet captures to prove it) where we believe your answer may not be accurate. When running ISE v2.2 for a few years (we're on 2.7 now and upgrading again early next year), we found plenty of windows systems doing EAP-TLS but failing often. Some investigations with our Windows team showed the problem devices had an old certificate on the machine along with a new one. When we started asking them to look for and delete extra (multiple active) machine certificates or OLD/expired machine certificates, these devices EAP-TLS authentication problems went away.  The "clients" covered both Windows 7 (now phased out) and Windows 10 machines.  We have since asked out Windows team to add a check to their policies(?) to remove any expired machine certificates.  The instances of Windows machine EAP-TLS authentication errors dropped rapidly after that.

@davidgfriedman , the enrollment date of the certificate is only part of the criteria used by the 'smart certificate selection' in the supplicant. I have not found any detailed documentation by MS describing the full list of criteria or exactly how this selection process works. All other things being equal, the most recently enrolled certificate that meets the requirements for EAP-TLS *should* be presented by the supplicant.
Without using the certificate matching options (this feature was never available in Windows 7), I have certainly seen more recently enrolled O365 user certs presented by the supplicant instead of the cert initially enrolled by the User Group Policy.
Having multiple expired certificates in the user/computer store is never a good thing. The Windows supplicant would not usually consider those eligible to present for EAP-TLS, but I don't know what issue they could cause with the supplicant. They should definitely be removed during the renewal process.

 

Thanks @Arne Bier !!!!!!!!

Regards
Leonardo Santana

*** Rate All Helpful Responses***