Re: Problem with wired 802.1X using user or computer certificate

Richard Poon · ‎09-20-2019

We have a wired authentication issue and I can't find a solution. The problem is this: we use user or computer certificates issued by Windows domain CA for authentication and it works fine. The certificates are enrolled automatically through GPO when a PC joins the domain or a user logon to Windows with a domain account. The issue happens on the first time when a PC joins the domain or a user logs on to Windows the first time. This is when the certificates are not loaded yet. It seems like a "chicken or egg first" type of problem. Just wonder if anyone encountered similar issue and how to solve it.

Thanks

Richard Poon

Damien Miller · ‎09-20-2019

It's always going to be an issue if you do not allow some other type of method for these machines to get on the network.

How you solve it is unique to each environment, there is no one size fits all due to differing security requirements. Often the easiest solution is to provide a mab rule allowing the machine to reach AD, but that may not fly with security policy. An alternate could be leveraging the PC team, making sure the machine is AD joined before entering the field, ensuring that the machine cert is provisioned, then having a machine auth only policy.

Richard Poon · ‎09-20-2019

Machine auth only policy won't work, since it's by design that only user certificate will be presented once the PC is user logged in. Then the port will become unauthenticated within a minute because machine certificate is not visible to the switch port.

hslai · ‎09-29-2019

Damien Miller's suggestion in allowing it to fall-back to MAB should be a valid solution.