cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
455
Views
0
Helpful
5
Replies

Testing EAP-FAST (Eap-MSCHAPv2, Eap-TLS)

Da ICS16
Level 1
Level 1

Dear Community,

Current we plan testing EAP-FAST (Eap-MSCHAPv2, Eap-TLS) authentication.

By Machined join domain and get certificate to be trusted device. What if the another new machine imported certificate (export cert from PC trusted machined) , does it work or not for the new machine connection to ISE? thanks.

Thanks,

 

5 Replies 5

ccieexpert
Spotlight
Spotlight

Hi if you mark the certificate as non exportable it will provide protection, but if its not TPM protected, then a malware may be able to export it. 

The best protection is to use TPM and not all machine have TPM (older ones), but alteast blocking private key export in your cert template is a good fall back..

https://polansky.co/blog/tpm-backed-certificates-windows/

**Please click on Helpful button if this was useful**

Dear @ccieexpert ,

If we do not put passkey on certificate and some one will perform this case, does it work?

Thanks,

ccieexpert
Spotlight
Spotlight

i am not understanding your question ?

some certificates you can put a password etc.. but the password is not very helpful as it can be cracked ... what i am saying if you make it non exportable is good.. The best option is to use non exportable with TPM for best security ..

**Please click on Helpful button if this was useful**

you

OK understand. thanks.

ccieexpert
Spotlight
Spotlight

Your welcome:)

**Please dont forget to rate as helpful and also accept as solution if this was indeed helpful**