Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
582
Views
3
Helpful
4
Replies

Verify the Servers Identity

ryanbess
Level 1
Level 1

‎01-16-2024 06:48 PM

When "Verify the server's identity by validating the certificate" is enabled, what exactly is the supplicant doing?  I can see issues with the supplicant trying to reach out to the CRL to validate the cert is valid so i assume the client isn't doing this.  So if it's not reaching out the CRL, what is the client using to "verify" the cert it got back is valid?   

Preview file
127 KB
0 Helpful
4 Replies 4

Arne Bier
VIP
VIP

‎01-16-2024 08:10 PM

This check is optional in Windows and its purpose is to give the supplicant a way to check whether the Authenticating Server (ISE) that it's talking to, is who it says it is.  If you had a MITM you might have your EAP session hijacked and then you're talking to a hacker's RADIUS server - if you perform these checks, then the ISE EAP certificate is validated against your client's CA trust store - that means your client MUST have the CA Chain (that was used to sign the ISE EAP certificate) in its trust store. If you don't have this in your client, then you client will reject the ISE "Server Hello" EAP Message.

Best practice in production - always enable this. There's no excuse

ryanmbess
Level 1
Level 1
In response to Arne Bier

‎01-17-2024 04:32 AM - edited ‎01-17-2024 04:36 AM

Thanks.  So it simply validates the chain exists in the cert store AND validates the server cert from ISE is signed by the chain?  Thus there is NO validation by the client that the chain NOR the server cert has been revoked?  Correct?

0 Helpful

Aref Alsouqi
VIP
VIP

‎01-17-2024 07:43 AM

That is correct, enabling the "Verify the server's identity" option will allow the client to verify that the certificate that will be presented by ISE is actually issued by a trusted issuer which you select from the "Trusted Root Certification Authorities" list. That validation includes verifying that the presented certificate haven't expired. However, I don't believe the supplicant at that stage would be able to check if the certificate has been revoked or not, because at that stage the client wouldn't have yet any network connectivity.

On the other hand, the second option "Connect to these servers" would allow you to define which ISE nodes you want to supplicant to negotiate with. For instance, say you have eight PSNs on your network, and you want that supplicant to talk only to two of those PSNs, in that case you can specify the names of those two PSNs. The names must be the same as they are configured on the PSNs certificates.

ryanbess
Level 1
Level 1
In response to Aref Alsouqi

‎01-17-2024 08:15 AM

Yeah but that would also require setting configs on the switch or wlc as well to point the endpoint to only those PSNs.  

I get the gist of what the "verify" is doing now.  Thanks to both of you.  

0 Helpful
Customers Also Viewed These Support Documents