Solved: Re: Not getting prompted for certificate when logging into wireless

Garry Cooper · ‎01-12-2018

Just renewed the certificates on ISE 1.4 and not when I login to wirelss with my AD credentials I am allowed straight onto network.

I can even login with my Android device with my AD login details.

Have I missed something when renewing certs, as before If the device I was trying to connect from did not have the certificate on would fail to connect.

Any Help would be much appreciated.

paul · ‎01-16-2018

Garry,

Not sure but it sounds like you are confusing two different issue here. The original post was about renewing the EAP-TLS cert in ISE. We have answered that question. As long as your GPO policy is setup correctly to validate the server cert, to trust the CA that issued the EAP-TLS cert and you use the same CA to issue the new ISE cert there should be no issues seen on the client side when you renew your ISE cert.

If you are doing EAP-TLS computer/user authentication for your wireless SSID, you have the issue of users not being able to log into machines the first time on wireless. When the user tries to log into the machine for the first time the OS tries to transition to user mode authentication but there is no certificate for the user as it is there first time logging in. Typically they have to plug into the wire (assuming it is not running authentication), log in the first time, autoenroll their user cert and then they can connect to wireless just fine.

Also, just to be sure when you say “It asks me for AD credentials”, what is asking your for AD credentials? Do you mean you are logging into your machine or you are providing AD credentials to connect to the wireless SSID?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

hslai · ‎01-12-2018

Prompting for the certificate of the EAP server is client-OS dependent. Android usually does not prompt for it, even for the first time network login.

paul · ‎01-12-2018

The clients don't trust the ISE cert specifically. They trust the CA that issues the ISE cert used for EAP authentication. As long as you got a certificate from the same CA the clients should connect without an issue. iOS devices like to complain no matter what, but as a general rule if you renew with cert from same provider there shouldn't be any prompts.

hslai · ‎01-13-2018

For Apple iOS, it depends on whether an ad-hoc connection or with a configuration profile that contains the trusted certificate(s) for the EAP server(s). Ad-hoc connections are more sensitive to a change in the EAP server certificates.

Android 7.1, for example, on Google Nexus phones enforce to pick an option for CA certificate, instead of prompting to confirm the EAP certificate.

Garry Cooper · ‎01-15-2018

Thanks for the info guys.

I understand what you are saying, but in the past if I tried to connect to the wireless, if the certificate was not on the client the login would fail.

But now even a windows client without the cert connects. Not what should happen.

hslai · ‎01-15-2018

For Windows, we need to check the authentication properties on the network connection. See this CERTIFICATE ERROR ON WINDOWS 8.1 PC CONCERNING EAP AUTH

Garry Cooper · ‎01-16-2018

@ hslai

Thanks for the reply, in the past we would always build the windows device on the wire and AD group policy would push the cert down to the device.

Then the device would be allow to connect.

If the device did not have the cert it would fail to connect,

So what is happening now is when connecting to wireless, it asks for AD credentials then lets me login.

But in the past it would fail saying something about cert.

paul · ‎01-16-2018

Garry,

Not sure but it sounds like you are confusing two different issue here. The original post was about renewing the EAP-TLS cert in ISE. We have answered that question. As long as your GPO policy is setup correctly to validate the server cert, to trust the CA that issued the EAP-TLS cert and you use the same CA to issue the new ISE cert there should be no issues seen on the client side when you renew your ISE cert.

If you are doing EAP-TLS computer/user authentication for your wireless SSID, you have the issue of users not being able to log into machines the first time on wireless. When the user tries to log into the machine for the first time the OS tries to transition to user mode authentication but there is no certificate for the user as it is there first time logging in. Typically they have to plug into the wire (assuming it is not running authentication), log in the first time, autoenroll their user cert and then they can connect to wireless just fine.

Also, just to be sure when you say “It asks me for AD credentials”, what is asking your for AD credentials? Do you mean you are logging into your machine or you are providing AD credentials to connect to the wireless SSID?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Garry Cooper · ‎01-16-2018

Paul.

Thanks for the reply....I was thinking it was the cert that we had renewed was the issue.

But in the second paragraph of your reply is exactly what is happening.

Just to confirm the AD credentials I am using are for logging into the Wifi.