Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1242
Views
0
Helpful
6
Replies

Tying a Client Certificate to One Endpoint in ISE

Go to solution
s1nsp4wn
Level 1
Level 1

‎10-08-2019 12:48 PM - edited ‎02-21-2020 11:10 AM

Is there a way to tie a user's client certificate (EAP-TLS authentication) to one endpoint?  I'm looking to authenticate based on clients having the proper certificate but don't want them to be able to take that certificate, install it on another device, and authenticate onto our network?   Anyone have any tips on this?  TAC told me I can limit the number of concurrent sessions a user can have at once but didn't seem to have an answer on a configurable policy that ties one cert to one endpoint.

 

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-08-2019 12:55 PM

When you issue a certificate, you can specify that it is not exportable.  So in that case, the user would not have the ability to export the certificate off of the machine.  If it is a machine certificate, you can also try to issue it with the MAC address of the device in a SAN attribute.  Then on ISE, you can make sure the SAN value matches the calling-station-id (MAC address).  What are you using as a CA to issue certificates?  Are these machine certificates or user certificates?

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-08-2019 12:55 PM

When you issue a certificate, you can specify that it is not exportable.  So in that case, the user would not have the ability to export the certificate off of the machine.  If it is a machine certificate, you can also try to issue it with the MAC address of the device in a SAN attribute.  Then on ISE, you can make sure the SAN value matches the calling-station-id (MAC address).  What are you using as a CA to issue certificates?  Are these machine certificates or user certificates?

0 Helpful

Go to solution
s1nsp4wn
Level 1
Level 1
In response to Colby LeMaire

‎10-08-2019 01:20 PM

These are user certificates and the internal CA is a Windows server running ADCS. Not sure how we'd push these to Mac and Linux distros just yet.
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to s1nsp4wn

‎10-08-2019 01:27 PM

There are a number of ways to do it.  One is using the Web Enrollment feature for MS CA servers.  A user goes to a particular web URL to enroll and get a certificate.  For MACs, one of my previous customers used AirWatch to enroll machines and users for certificates.  There is also the manual enrollment where you generate the CSR on the Linux machine using openssl, send the CSR to the CA administrator, they sign it and return the public key, then bind the two on the Linux machine.

0 Helpful

Go to solution
s1nsp4wn
Level 1
Level 1
In response to Colby LeMaire

‎10-08-2019 01:34 PM

This is going to be an MDM for all wireless devices, ADCS for Windows, MAC and Linux we're probably gonna do something similar per your suggestion.
0 Helpful

Go to solution
s1nsp4wn
Level 1
Level 1
In response to Colby LeMaire

‎10-14-2019 08:04 AM

Not sure how to implement the latter yet, but the former is pretty simple.  I'll just need a way to utilize OSCP for revocation and something else for expiration.  Thank you.

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-08-2019 01:13 PM

Here is a screenshot showing the certificate template configuration for a computer certificate.  Similar options would be available in the user certificate template.  The option to allow the private key to be exported is what you want to make sure is not allowed.  This is on a Windows 2019 1809 Certificate Server.  Your options may be worded differently.

cert_template.jpg

0 Helpful
Customers Also Viewed These Support Documents