cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22039
Views
5
Helpful
24
Replies

Machine authentication using certificates

hardiklodhia
Level 1
Level 1

Hi,

I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".

Any help??

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Hi,

This is a limitation on the native supplicant, when you enable smart card or certificate authentication for the network connection, then it tries to use this for both machine and user authentication. It does not allow you to use certificate authentication for machine auth, and password authenticaiton for user authentication.

You can use anyconnect network access manager (which is free if you have a cisco wireless network) and not only does it allow you to set which type of authentication you want (certificate for machine and password for user) but it has a new feature out which is called eap chaining. Eap chaining is a powerful option because you can choose the order (machine first then user) when the client connects to the network. No longer do you have to stress about the machine authentication timers and wondering what is the best fit when it comes to users logging in and out of their machines in order to update the machine authentication cache in ISE. However eap chaining uses eap-fast, which is a pac-based authentication framework.

Here is the latest release note about this feature (currently in beta):

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998871

Tarik Admani
*Please rate helpful posts*

View solution in original post

24 Replies 24

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

Does ISE have a signed certificate from the same internal CA as the laptops?

Also when the binary comparison of certificates failed message appears, this usually points to an internal issue where the machine certificates arent being published to the AD user account for these computer objects. There should be a tab that will show the certificate issued to the computer account:

Here is an article that covers the steps on deploying computer certificates and having them pushed to AD -

http://technet.microsoft.com/en-us/library/cc731242%28v=ws.10%29.aspx

thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

Thanks for your reply.

Yes,ISE have a sigend certificate from the same internal CA in ISE certificate store. I will ask AD authority to follow the process mentioned in the link and update you.

Thank You,

Just out of curiosity, did you set the certificate to the eap interface? I am trying to understand why the client is unable to verify the ise's cert.

Sent from Cisco Technical Support iPad App

Hi Tarik,

I have two CA server certificates installed in ISE. One is Public CA and the other is internal MS CA. I want corp assets to use MS CA and BYOD to use public CA. I have enabled EAP for public CA. So when I enable "Verify server certificate" check on client machine it rejects ISE and EAP does not establish but it works for BYOD. As I can only specify one CA for EAP , I have to disable server verification. Its understood that machine is supplying local MS CA certificate while ISE sends Public CA server certificate and EAP-TLS fails. But after disabling server verification , it gives error for bianry comparison failed. Is it possible to use two different CA for two different authentication rules? other thing is public cer for ISE is assigned by intermediate CA so I have installed intermediate cert chain certificate in ISE certificate store. Do I need to also install public Root CA cert in ISE certificate store? How should the chain be installed?any sequence of uploading CA certs?

Thank You,

Hi,

You can not assign to interfaces for eap mangement, however why would you use the public CA for eap authentication? Are your external users using dot1x to authenticate to the network?

Thanks,

Tarik Admani
*Please rate helpful posts*

the requirement: 1:corp asset + AD user/pass=full access ,2: BYOD + AD user/pass= partial access.both using EAP and same ssid. I have configured authentication policy based on this requirement using identity source sequence which has certificate profile (which checks certificate agianst AD) and AD external database for username and pass verification. AD guys have made changes according to microsoft doc but still same error.am I missing something somewhere???

See if publishing a new certificate for the endpoint then publishes the certificate in AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tried that as well but not working.Surely looks some prob with AD config. But if the certificate profile pass then will it check username and password against AD? Thanks for your support.

No,

It does a binary comparison of the certifcate that is presented from the client with the certificate that is issued to the same user in AD in order to verify that the cert is correct.

Thanks,

Tarik Admani
*Please rate helpful posts*

that means machine and user authentication is not dome at the same time. ??? it will check only machine name instead of username in AD database for certificate verification.then how user authentication can be achieved after machine authentication??

There are two seperate process when it comes to machine and user authentication. If you are using the default windows supplicant, the authenticate attempt for machine authentication is usually attempted, at boot up, or when you log off, or when you log on to the device.

User authentication occurs after you provide the credentials to login to the client.

The supplicant has to send the machine credential and user credential for this to work.

Tarik Admani
*Please rate helpful posts*

Hi,

I am facing issues with ISE that client have to log off for the machine authentication as we are using PEAP. Just wanted to check if we move to certificate based authentication does this limitation go away as it annoys the users were they have to log off and log on again when they move from wired to wireless.

hardiklodhia
Level 1
Level 1

Will both work with MS XP default supplicant? any document ... Thanks again for your support.

Sent from Cisco Technical Support Android App

Here is the documentation for windows xp sp 3:

http://support.microsoft.com/kb/929847

Please dont forget to rate helpful posts and also mark this thread as resolved when you get a chance.

Thanks,

Tarik Admani
*Please rate helpful posts*