Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2149
Views
15
Helpful
10
Replies

Secure ACS 5.8.0.32 - Issues setting up certificate based access using specific wifi certificate.

Bails1664
Level 1
Level 1

‎10-03-2017 01:45 AM - edited ‎02-21-2020 10:35 AM

Hi,

 

I am currently looking at a RADIUS wifi solution setup but i'm having some issues with getting the devices to connect using a specific certificate.

 

I have added the cert to the Certification Authority and it is part of the Group Policy within Windows. I have also created a compound condition that uses the Certificate Directory > Common Name and have entered the name of the cert, but i still keep getting Default Rule selection (DenyAccess).

 

I am using PEAP with MSCHAPv2 inner method. I have had the clients connecting fine, however when i'm trying to be more specific with the certificate it uses to check it fails everytime.

 

 I have attached a screenshot showing the current rule setup.

 

Could someone please provide some assistance?

Labels:
Preview file
24 KB
0 Helpful
10 Replies 10

Arne Bier
VIP
VIP

‎10-03-2017 04:13 PM

With EAP-PEAP the supplicant (e.g. WIndows client) doesn't even need to trust the Authenticating Server (i.e. ACS/ISE) since this is an optional thing.  And since EAP-PEAP doesn't use client-side certificates, the whole setup and testing is quite easy ... as you found out.

With EAP-TLS however, the supplicant provides a certificate to ACS.  And if I understand your question, this is where you are having issues.  ACS has to be equipped to trust the CA (Certificate Authority) that issued the supplicant's certificate - and in fact, it need the entire CA certificate chain, if this happens to be more than one CA (e.g. Root CA, Policy CA, Issuing CA).  The certificate that the Windows PC (as an example) offers to ACS will be examined.  And here I don't know what you want to achieve next: a) Do you want to check whether the client cert was issued by the correct Issuing CA?  In that case you need to check the "Issued By" and not the Common Name.  or b) Do you want to check each certificate's Common Name to see whether it exists in AD? Remember that each certificate will be issued with a unique Common Name.  Thus, what are you trying to check for?

In most cases it's sufficient to check that you are dealing with a client cert that has some characteristic that you like or that you need to enforce - e.g. was it issued by the correct issuing CA (check the "Issued By" field?  If yes then happy days.

Bails1664
Level 1
Level 1
In response to Arne Bier

‎10-05-2017 06:13 AM

Hi Arne,

 

Thanks for the response.

 

What i am looking at doing is essentially creating a Client access certificate that we can push out to corporate wi-fi enabled devices (via windows group policy) and have ACS check if the certificate is present? 

 

The the client device will need to be part of the two Active Directory grousp (domain computers and the Wi-Fi Devices), then it will check if a certificate is present on that machine. if all are present, then the machine will be authenticated. Then the next rule will be to check the user once they login to the machine. The users will only then be authenticated if there has been successful machine authentication.

 

Many Thanks

N

0 Helpful

Arne Bier
VIP
VIP
In response to Bails1664

‎10-08-2017 05:34 PM

That seems a pretty standard approach.  Have you looked into MAR (Machine Access Restriction) feature?  It will help you block any user who tries to log into a machine that has not had a machine authentication in the last defined period of time (e.g. 8 hours).  It's a cool feature but it has caveats.  E.g. the famous examples are the issues you'll face when user suspends/sleeps laptop for more than 8 hours. User unsuspends, and then cannot login, because ACS/ISE MAR has restricted you!  **bleep**!  Reboot solves the problem.  The other classic faux pas is, user boots up on WiFi and logs in - and then switches to LAN cable - user no longer can log in because MAR only authenticated the wifi MAC address!  Doh!

Apparently AnyConnect comes to the rescue ... don't ask me - I am still learning this stuff too.

0 Helpful

Bails1664
Level 1
Level 1
In response to Arne Bier

‎10-31-2017 03:58 AM

Hi,

 

I am still having issues with the machine being granted access when using the certificate dictionary. I am currently looking at the certificate issuer as that is a pretty standard setting, but it doesn't seem to be recognising the fact. 

 

When the compound condition for Certificate Dictionary is used, does it check a specific folder on the local machine certificate store?

 

Also, i have the Group Policy object that deploys the wifi profile setup to use Microsoft: Protected EAP(PEAP). 

0 Helpful

Arne Bier
VIP
VIP
In response to Bails1664

‎10-31-2017 04:34 PM

When doing certificate based (X.509) authentication on wired or wireless, you are using EAP-TLS, and not EAP-PEAP. 

The compound condition is not related to the certs on the client (supplicant).  During EAP-TLS negotiation there is a mutual exchange of certificates.  The AAA server sends its own cert (the one ACS has assigned for EAP purpose) and then the client (supplicant) sends his client cert.  When ISE receives the client cert it will be able to analyse its contents, using the Policies.  If the client sends the wrong cert then there is nothing ISE can do about it.  It's important that the Windows/OSX/Linux supplicant is configured to return the correct cert to the AAA server.  This is sometimes tricky and confusing, but at least in Windows it's possible to pin it down to the either a Machine Cert or a User Cert.

Bails1664
Level 1
Level 1
In response to Arne Bier

‎11-13-2017 07:43 AM

Thanks again Arne,

 

So do i need to be distributing the ACS cert to the clients?

 

Or do i need to create a new Client based cert that is distributed to all Wireless clients?

 

Sorry if i'm asking silly questions.

 

Cheers

Neil

0 Helpful

Bails1664
Level 1
Level 1
In response to Bails1664

‎11-22-2017 05:52 AM

Hi,

 

I have managed to get the device to authenticate successfully with a device cert, however is it possible to also have AD groups checked at the same time during authentication?

 

So have a cert as well as be part of an AD group before authentication completes? 

 

*Please see attachment showing current rule setup. (I know the Rule 2 is disabled)

 

Cheers

N

 

 

Preview file
63 KB
0 Helpful

Arne Bier
VIP
VIP
In response to Bails1664

‎11-22-2017 02:07 PM

Hi

 

well done on making the progress.

I don't work much in ACS these days other than busy migrating off of it, and onto ISE, so I can't offer too much config advice on ACS.  In the ISE world, checking the AD Groups is an authorization step.  You can fail the user at Authorization stage by checking for group membership.

0 Helpful

Bails1664
Level 1
Level 1
In response to Arne Bier

‎11-22-2017 02:51 PM

Thanks,

 

So would i  be correct in saying that i can use EAP-TLS protocol to authenticate devices with a certificate and also use AD external groups as well as part of the authentication policy?

 

Appreciate the assistance.

 

Cheers

N

0 Helpful

Bails1664
Level 1
Level 1
In response to Bails1664

‎01-02-2018 02:07 AM

Is anyone able to answer the above?

I am struggling to find an answer to my issue at present.

Many Thanks
N
0 Helpful
Customers Also Viewed These Support Documents