01-16-2024 06:48 PM
When "Verify the server's identity by validating the certificate" is enabled, what exactly is the supplicant doing? I can see issues with the supplicant trying to reach out to the CRL to validate the cert is valid so i assume the client isn't doing this. So if it's not reaching out the CRL, what is the client using to "verify" the cert it got back is valid?
01-16-2024 08:10 PM
This check is optional in Windows and its purpose is to give the supplicant a way to check whether the Authenticating Server (ISE) that it's talking to, is who it says it is. If you had a MITM you might have your EAP session hijacked and then you're talking to a hacker's RADIUS server - if you perform these checks, then the ISE EAP certificate is validated against your client's CA trust store - that means your client MUST have the CA Chain (that was used to sign the ISE EAP certificate) in its trust store. If you don't have this in your client, then you client will reject the ISE "Server Hello" EAP Message.
Best practice in production - always enable this. There's no excuse
01-17-2024 04:32 AM - edited 01-17-2024 04:36 AM
Thanks. So it simply validates the chain exists in the cert store AND validates the server cert from ISE is signed by the chain? Thus there is NO validation by the client that the chain NOR the server cert has been revoked? Correct?
01-17-2024 07:43 AM
That is correct, enabling the "Verify the server's identity" option will allow the client to verify that the certificate that will be presented by ISE is actually issued by a trusted issuer which you select from the "Trusted Root Certification Authorities" list. That validation includes verifying that the presented certificate haven't expired. However, I don't believe the supplicant at that stage would be able to check if the certificate has been revoked or not, because at that stage the client wouldn't have yet any network connectivity.
On the other hand, the second option "Connect to these servers" would allow you to define which ISE nodes you want to supplicant to negotiate with. For instance, say you have eight PSNs on your network, and you want that supplicant to talk only to two of those PSNs, in that case you can specify the names of those two PSNs. The names must be the same as they are configured on the PSNs certificates.
01-17-2024 08:15 AM
Yeah but that would also require setting configs on the switch or wlc as well to point the endpoint to only those PSNs.
I get the gist of what the "verify" is doing now. Thanks to both of you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide