cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2090
Views
15
Helpful
5
Replies

User Cert Authentication Issue

fatalXerror
Enthusiast
Enthusiast

Hi Guys,

I am experiencing some issues that for some reason my user certificate is not able to use for 802.1x authentication even though my user certificate usage is set to Client Authentication.

Are there any permissions needed in the AD/GPO for the user cert to work for EAP-TLS authentication?

Thank you.

1 Accepted Solution

Accepted Solutions

This is not a bug, but rather how the Windows supplicant is designed to work. One of the criterion for 'Simple Certificate Selection' is that the supplicant will try to use the most recently issued certificate. Some cloud-based services (like Office 365) issue user certificates, so this can cause issues when these services install a user cert after the cert intended for 802.1x is enrolled.

As Mike mentioned, the way to mitigate this is using the Advanced > Configure Certificate Selection feature in the suppliant to specify the Issuer to use when selecting the computer/user certificate to present for 802.1x.

Screen Shot 2021-04-19 at 9.54.03 am.png

View solution in original post

5 Replies 5

Mike.Cifelli
VIP Advisor VIP Advisor
VIP Advisor

Please provide further information so the community can better assist.

-What supplicant are you using (native or nam)? If using native you can rely on GPO to deploy configuration.

-What is your supplicant config? Have you ensured that the supplicant is setup to support eap-tls? Is eap-tls supported in your radius policies?

-What are the errors you see in radius live logs?

-What is your port config?

-Did this work before at any point in time?

Hi Mike, thanks for the feedback. I am just using native supplicant and i confirmed that it is now configured for eap-tls authentication. The switch is also configured correctly and the ise.

 

Here is what i noticed during my troubleshooting. The endpoint have multiple user certs in its cert store and the usage of it are for client authentication. But, the endpoint always uses the other certificate which is signed by the "CommunicationServer" instead of the internal CA that is why in the ISE logs, it shows unknown CA in the cert chain. I even tried to specifically choose the correct user cert but still the endpoint uses the incorrect cert.

 

The question now is that why that endpoint is behaving like that? Is it a settings in GPO or AD or CA server?

 

Thanks

Mike.Cifelli
VIP Advisor VIP Advisor
VIP Advisor

So I am under the assumption that you have "Use Simple Certificate Selection" enabled, is that true?  You have two options IMO:

1 - add the chain for the cert it keeps picking in ISE trust store (sounds like you wish to not to do that)

2 - test configuring advanced Certificate Selection parameters so the supplicant selects the user cert that you wish to use in onboarding.

 

This is found in Native supp config under: Smartcard or other Certificate properties->when connection: advanced->then configure accordingly so that it uses the respective cert for user that you want to use in eap-tls negotiations.  BTW this can all be configured via GPO and deployed to domain clients.

HTH!

Hi Mike,

Yes, you are correct. The "Use Simple Certificate Selection" is enabled. Actually, I tried both of your options but the endpoint always uses the incorrect certificate which was signed by the so-called "Communication Server". 

Is these an AD or GPO settings, Windows bug, or network adapter's bug? It is a bit strange actually.

Thanks.

This is not a bug, but rather how the Windows supplicant is designed to work. One of the criterion for 'Simple Certificate Selection' is that the supplicant will try to use the most recently issued certificate. Some cloud-based services (like Office 365) issue user certificates, so this can cause issues when these services install a user cert after the cert intended for 802.1x is enrolled.

As Mike mentioned, the way to mitigate this is using the Advanced > Configure Certificate Selection feature in the suppliant to specify the Issuer to use when selecting the computer/user certificate to present for 802.1x.

Screen Shot 2021-04-19 at 9.54.03 am.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: