Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1788
Views
5
Helpful
2
Replies

Public cert issue with Windows.

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni

‎08-16-2021 09:28 AM

So, with the push with Android to require public certs, we are testing using a public cert for ISE, but as EAP is an all or nothing, we are seeing an issue with our wired devices.

 

We are testing setting 802.1x to trust Comodo CA for certs, but see mixed results. 

info on out setup,

1: All ports start with an ACL on the switch called unauth that blocks most except AD controllers until authenticated.

2: PCs are in a user or computer auth so ISE can see if the PC is domain joined.

 

With Comodo checked on the PC, we can see the PC itself auth, but when a user logs in, it gets stuck, or fails auth. From a pcap, I can see the PC trying to go out to ocsp.comodoca.com, but the unauth ACL blocks this. The weird thing is if you let it sit for a min or so before logging in, it will usually work.

 

So, my question is I can't be the only one to use/try public certs. How do you fix the issue? Tell the PCs to not validate? Give them internet access to validate?

 

One thing I see is OCSP Stapling, but it looks like this is not supported in ISE.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-17-2021 11:04 PM

If you are able to give access to the OCSP URL, please try that. Also, please give this feedback to Microsoft.

On OCSP stapling, it seems still early days, per CRL or OSCP checking from the client during dot1x :

...

OCSP stapling can be used to supply the OCSP status as part of the server certificate response. This is part of EAP-TLS with TLS 1.3.

...

View solution in original post

2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-17-2021 11:04 PM

If you are able to give access to the OCSP URL, please try that. Also, please give this feedback to Microsoft.

On OCSP stapling, it seems still early days, per CRL or OSCP checking from the client during dot1x :

...

OCSP stapling can be used to supply the OCSP status as part of the server certificate response. This is part of EAP-TLS with TLS 1.3.

...

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni

‎08-18-2021 12:33 PM

Thanks, I was afraid of that, but may be the only option. As an ACL can not do FQDN, I may have to give them port 80 access and use the firewall to do the FQDN access.

 

All this cause android is starting to force cert validation.

0 Helpful
Customers Also Viewed These Support Documents