Solved: ISE and EAP-TLS - Page 2

M. Wisely · ‎08-01-2012

Hi

We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (1.1.1.24) I'm getting an error.

22045 Identity policy result is configured for password based authentication methods but received certificate based authentication request

I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.

EAP-TLS is enabled in the 'Default Network Access' authentication result.

Can anyone shine a light on where I'm going wrong?

Thanks

Martin

Tarik Admani · ‎08-08-2012

Martin,

Please post the certificate path using windows so I can see the whole path of the user cert and the full details of it also (I need to see the key usage and enhanced key usage). Also I need to see the full details of the NHSG-CS-01 (path and key usage and enhanced key usage). It may be that you are using a signing certificate to issue this cert and that might not be supported since we need server authentication OID to present in order to use certificate based authentication.

http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_vmware.html#wp1053064

take a look at figure 4-3 for this setting on the vmswitch.

Thanks,

Tarik Admani
*Please rate helpful posts*

M. Wisely · ‎08-09-2012

Tarik

I've attached the path detail, etc.

There was no extended key usage in the NHSG-CS-01 certificate, key usage was Digital Signature, Certificate Signing, Off-line CRL Signing and CRL Signing (86).

In the personal certificate the key usage was Digital Signature, Key Encipherment (a0) and the enhanced key usage was Server Authentication.

Thanks

Martin

Tarik Admani · ‎08-09-2012

Martin,

Then that makes sense, since the ISE uses certificate based authentication when using eap-tls the certificate doesnt have the OIDs to support certificate based authentication. Here is a guide that shows the requirements needed in order to authenticate clients via certificates:

http://support.microsoft.com/kb/814394

Here is the comment in the article in this case the IAS is the radius server and the same holds true for ISE:

The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.

Here is the Cisco eap-tls deployment guide which references the same as above:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39121

Thanks,

Tarik Admani
*Please rate helpful posts*

M. Wisely · ‎08-09-2012

Tarik,

Thanks for your help, that makes sense even to me now that you've pointed it out. I know very little about certificates.

I've asked one of my colleagues in our server team to add the usage to the template and once he does I'll test and update this discussion.

Thanks

Martin

M. Wisely · ‎08-10-2012

Tarik,

Annoyingly we've now got a client certificate with client authentication and server authentication as the enhanced key usage but we're now hitting a different error message, 22047 "Principal username attribute is missing in client certificate".

So the client certificate has the extended attributes of Server Authentication and Client Authentication.

Thanks

Martin

Tarik Admani · ‎08-10-2012

Martin,

Can you please post a screenshot of you user cert. If there isnt a prinicpal username then we need to see if the subject alternative name contains the correct format of the username.

Thanks,

Tarik Admani
*Please rate helpful posts*

M. Wisely · ‎08-13-2012

Tarik

You're right, there is no subject alternative name (or principal name) on my user certificate so I had a look at a certificate I generated from the User template and it does have a subject alternative name which contains:

Other Name:

Principal Name=@

RFC822 Name=

I presume thats what should be in the personal certificate I generate for the iPad?

Thanks

Martin

Tarik Admani · ‎08-13-2012

Yes that is correct, the certificate that is being presented to ISE doesnt include the identity of the client, that is the reason the attempt fails.

Thanks,

Tarik Admani
*Please rate helpful posts*

Gustavo Novais · ‎08-23-2012

Hi,

For Windows based authentication, we usually have to use not the common name on the Certificate authentication profile, but the subject or subject alternate name.

In your case if you specify to use the Subject Alternate Name ISE, should be able to take that to authentify the user.

HTH

Gustavo

M. Wisely · ‎08-23-2012

Hi Gustavo

We've already got that added.

Thanks

Martin

rchockeelopez · ‎04-22-2013

Hi Tarik,

I have the same error. What should be the solution?

rchockeelopez · ‎04-22-2013

Hi Martin,

If I only want to install the certificate manually on the user device does I still need a SCEP server?

Thanks,

Regards,

Alcides Miguel · ‎02-18-2016

Hi Tarik,

This post is for long time ago... I would like to have a help from you because I´ve deployed ISE 2.0 and I want to use EAP-TLS as preferred authentication with certificate based authentication for both user and workstation... but the authentication is failing with error 22056 Subject not found in the applicable identity store.

I use Identity Sequence Store with certificate profile attached.

Thanks.

navdeep_singh · ‎12-04-2013

Hi,

Can I have guide to setup certificate based authentication for ipad or mobile phone user with ISE?

Please help!!