Solved: Re: ISE and WLC integration issue

anousakisioannis · ‎11-10-2021

Hello,

I am having an issue with expired Certificate and the users can't login with their credentials in the internal wifi. When they try to connect, they get a generic error "Can't connect to this network". I checked the windows events (attached windows_events_error.PNG) and I got a more specific error : "eap root cause string: windows cannot connect to this network. There is a problem with the certificate on the server required for authentication"

I checked on ISE and indeed there is a certificate, which is signed by CA, is expired.

I would like to ask how can i find if this expired certificate is used by a policy ?

Also, can i renew somehow the expired certificate, like the self-signed, or i have to create from scratch a new CSR and send it to CA?

Finally, is it necessary to have a signed certificate from a CA or can i have the same functionality with a self-signed certificate ?

Thanks

Greg Gibbs · ‎11-15-2021

See How To Implement Digital Certificates in ISE.

If the EAP certificate is expired, any 802.1x sessions (PEAP, EAP-TLS, etc) where the server certificate needs to be trusted by the client will fail.

As per the guide, self-signed certificates should not be used in Production so the ISE EAP certificate should be issued by an Enterprise CA for which the clients already have the trust chain installed. The client supplicant should be configured to trust that root CA.

View solution in original post

Greg Gibbs · ‎11-23-2021

ISE does not have the ability to directly renew CA-signed certificates, so it depends entirely on the CA in use. You cannot import a CA-signed identity certificate into ISE without the private key. When creating a CSR in ISE, ISE automatically generates a private key. Only after the signed cert is bound to the CSR can the private key be exported (with the certificate).

If the CA allows you to renew the current certificate and export the private key without submitting a CSR, that should be fine. If not, you would need to create a new CSR and use that to get a new certificate from the CA.

View solution in original post

Greg Gibbs · ‎11-15-2021

See How To Implement Digital Certificates in ISE.

If the EAP certificate is expired, any 802.1x sessions (PEAP, EAP-TLS, etc) where the server certificate needs to be trusted by the client will fail.

As per the guide, self-signed certificates should not be used in Production so the ISE EAP certificate should be issued by an Enterprise CA for which the clients already have the trust chain installed. The client supplicant should be configured to trust that root CA.

anousakisioannis · ‎11-16-2021

When I generate a new CSR, send it to CA to sign it and import back the signed certificate into ISE, should i adjust the policy for the internal wifi to match the new certificate or there is not need for anything more?

Also, i found the option "Allow Authentication of expired certificates to allow certificate renewal in Authorization policy" under the "Allowed Protocols". Is it something that i could temporarily use to solve the current issue or it could cause any side effects ?

Greg Gibbs · ‎11-16-2021

I'm not sure what you mean by 'adjust the policy for the internal wifi'. If you are matching on values in the certificate that will have changed with the new certificate (e.g. Issuer CN, Serial Number, etc) in the ISE Policy Sets, or AuthC/AuthZ Policies, then those will need to be updated as well.

The 'Allow Authentication of expired certificates' option only applies if the supplicant supports allowing expired certs. Many vendors (including Windows) native supplicants do not support it.

anousakisioannis · ‎11-16-2021

In the policy that is related with the access in the internal (private) wifi of the company, there is not (any obvious) indication that it is somehow connected with the expired certificate.

When i checked the windows events(windows_events_error.PNG) why the users cannot connect is very clear, that there is an issue with the certificate on the server.

I have found only one signed certificate but i cannot find if and how is related with that policy. We don't match the CN or serial number in the policy.

Greg Gibbs · ‎11-16-2021

There is no certificate configuration done on the WLC unless you're using some sort of Local EAP for fallback, if that's what you're asking.

Unless there is a load balancer between the NAD and PSN that is doing an SSL termination/rewrite for some reason, the EAP server certificate is presented directly by the PSN for 802.1x sessions.

anousakisioannis · ‎11-17-2021

So, the signed certificates are not necessary bonded with a specific policy, it can be used globally for all the policies.

Can i renew the same expired certificate or i have to create from scratch a new CSR and send it to CA?

anousakisioannis · ‎11-23-2021

@Greg Gibbs could you please let me know if i could do the above with the Certificates ?

Greg Gibbs · ‎11-23-2021

ISE does not have the ability to directly renew CA-signed certificates, so it depends entirely on the CA in use. You cannot import a CA-signed identity certificate into ISE without the private key. When creating a CSR in ISE, ISE automatically generates a private key. Only after the signed cert is bound to the CSR can the private key be exported (with the certificate).

If the CA allows you to renew the current certificate and export the private key without submitting a CSR, that should be fine. If not, you would need to create a new CSR and use that to get a new certificate from the CA.