01-09-2013 02:29 AM - edited 03-10-2019 07:57 PM
Anyone run into the issues similar to the below?:
Public Certificate bound for HTTPS
Internal AD Certificate Bound for EAP
Issue is SPW or Native Supplicant will be provisioned with Root CA of Public Cert then SCEP enrolls EAP-TLS with Internal CA however as client device (ipad/iphone/android) doesnt get the Internal Root CA provisioned they will fail EAP-TLS communication
Running ISE 1.1.2 patch2, 2 node-cluster
Guest Portal being used for Provisioning if AD credentials passed
Works a treat if i bind both https & eap on the Internal identity ceritficate (only issue then is Guests/BYOD devices get Certificate Warnings on the portal)
Cheers
Kam
Solved! Go to Solution.
01-17-2013 10:14 AM
Update2: Cisco have filled a new bug / feature enhancement request:
After discussions with developers, I Have filled a new bug:
CSCue08551 - ISE Native Supplicant Provisioning doesn't include CA Cert for EAP TLS
Symptom:
ISE Client Provisioning (NSP) installs only the HTTPS Certificate which cause EAP-TLS authentication to fail.
Conditions:
EAP and HTTPS Functions on ISE use a different certificate
Workaround:
Use same certificate for HTTPS and EAP.
This will be treated as an enhancement, as the HTTPs needs to be included since it’s always used to establish the connection between the Wizard and ISE for SCEP Requests. Also, different ISE Policy nodes might have a certificate signed by a different CA. The fix would be to have an option on the NSP Profile to push additional CA Certificates.
Hope this helps someone
Cheers
Kam
01-09-2013 08:00 AM
Kamran,
Can you tell me where this is failing, i am having a hard time figuring out where you are getting stuck at...
Thanks,
Tarik Admani
*Please rate helpful posts*
01-09-2013 08:18 AM
the process doesnt fail as such for the onboarding/provisioning on the iphone, however the when entering domain credentials to the guest portal which intiates the onboarding/provisioning process, i notice the root CA certificate is prompted to be installed on the iphone is that of the public certificate instead of the internal root CA, the rest of the user certificate and scep process properly completes however as the root CA for the internal CA wasnt installed i get warnings when connect to our dot1x eap-tls SSID.
On other devices this process fails which i can only assume is down to the lack of internal root CA cert
so as per the above im pretty much following this (differentiated access via certificates) :
however my setup is slighlty different as the EAP & HTTPS indentity certificate is not the internal, i have installed a public cert for HTTPS to remove certificate warnings on guest portal (as BYOD devices and guests will only have non-domain machines thus a public cert removes the certificate warnings)
does that clarify anymore?
Cheers
Kam
01-09-2013 08:28 AM
Kamran,
That is correct, when you authenticate to the guest portal you are using the https interface to pass your credentials not eap.
In your case this does look like a bug, since most documented use cases show a single https certificate being used for both eap and https interfaces. However If you try to onboard the devices using PEAP do you get the proper certificate installed and does the error go away (my assumption is yes).
Also you may want to open a tac case and forward your findings over to them, since you would expect when provisioning the supplicant should allow the user to install the eap certificate, or even yet set the supplicant to trust the certificate of the eap interface in the profile.
I did a search for an open bug and could not track one, I also checked the documentation and it doesnt state this as being a limitation...
Please post back your results if/when you get a response from TAC.
Thanks,
Tarik Admani
*Please rate helpful posts*
01-09-2013 12:29 PM
onboarding with PEAP works but again the Public Certificate Root CA is delivered to the "onboarding/provisioning" device rather than the local CA (which has EAP "enabled"), and as PEAP only needs server side Cert to work, this works (providing the "trust for TLS" is ticked on Public ROOT Cert)
ideally i would love the EAP-TLS solution as this near enough provides a zero-touch solution for the clients, but needs to work via the provisioning methods else its unmanageble for BYOD devices, if you use local CA certificate your guests will get a Cert warning,
I'm not sure how people have got both onboarding working with both public and local Certs?
BTW i have logged a TAC call, lets see what they come back with, will update this thread if i get anything
Cheers
kam
01-10-2013 01:40 PM
Update: Cisco TAC can also replicate this issue in their lab, they have escalated to developers to confirm bug
Meanwhile I'm using peap mschapv2 with the public certificate
01-17-2013 10:14 AM
Update2: Cisco have filled a new bug / feature enhancement request:
After discussions with developers, I Have filled a new bug:
CSCue08551 - ISE Native Supplicant Provisioning doesn't include CA Cert for EAP TLS
Symptom:
ISE Client Provisioning (NSP) installs only the HTTPS Certificate which cause EAP-TLS authentication to fail.
Conditions:
EAP and HTTPS Functions on ISE use a different certificate
Workaround:
Use same certificate for HTTPS and EAP.
This will be treated as an enhancement, as the HTTPs needs to be included since it’s always used to establish the connection between the Wizard and ISE for SCEP Requests. Also, different ISE Policy nodes might have a certificate signed by a different CA. The fix would be to have an option on the NSP Profile to push additional CA Certificates.
Hope this helps someone
Cheers
Kam
01-17-2013 11:06 PM
Thanks for following up on this, please mark this thread as resolved.
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide