Re: Testing EAP-FAST (Eap-MSCHAPv2, Eap-TLS)

Da ICS16 · ‎07-25-2024

Dear Community,

Current we plan testing EAP-FAST (Eap-MSCHAPv2, Eap-TLS) authentication.

By Machined join domain and get certificate to be trusted device. What if the another new machine imported certificate (export cert from PC trusted machined) , does it work or not for the new machine connection to ISE? thanks.

Thanks,

ccieexpert · ‎07-26-2024

Hi if you mark the certificate as non exportable it will provide protection, but if its not TPM protected, then a malware may be able to export it.

The best protection is to use TPM and not all machine have TPM (older ones), but alteast blocking private key export in your cert template is a good fall back..

https://polansky.co/blog/tpm-backed-certificates-windows/

**Please click on Helpful button if this was useful**

Da ICS16 · ‎07-28-2024

Dear @ccieexpert ,

If we do not put passkey on certificate and some one will perform this case, does it work?

Thanks,

ccieexpert · ‎07-28-2024

i am not understanding your question ?

some certificates you can put a password etc.. but the password is not very helpful as it can be cracked ... what i am saying if you make it non exportable is good.. The best option is to use non exportable with TPM for best security ..

**Please click on Helpful button if this was useful**

you

Da ICS16 · ‎07-28-2024

OK understand. thanks.

ccieexpert · ‎07-28-2024

Your welcome:)

**Please dont forget to rate as helpful and also accept as solution if this was indeed helpful**