Solved: Re: Wied 802.1X Using Certificate

jmorton1 · ‎02-02-2024

We are looking to implement wired 802.1X, but we would like to use a certificate to authenticate so that users do not have to authenticate, especially on desktops shared by staff. We tried to implement this using PEAP with EAP-TLS for the inner tunnel s well as EAP-TLS and TEAP with EAP-TLS as the inner tunnel, but nothing we are doing seems to be working. I have attached a document that shows the 802.1X authentication settings that I tried to put in place on a windows 11 workstation, the log showing the failure in ISE, as well as the settings in ISE, as well as the switch configuration. Most of our switches are Catalyst 2960-X switches. Has anyone ever successfully rolled out something like this?

NOTE: I have omitted portions of the switch config to hide any proprietary information.

jmorton1 · ‎02-05-2024

Thank you! After reading over what you wrote, I was able to figure out what needed to be done, and I now have a working solution. Here is what I did:

In Group Policy Management, I went under Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Policies and set up a policy for the Computer certificate type. This automatically creates and enrolls a certificate signed by our Internal CA.
I uploaded the Root Certificate for our internal CA to the Trusted Certificates in ISE.
For the Authentication settings in windows, I selected Microsoft: Smart Card or other Certificate (EAP-TLS), Verify the Server's Identity checked, specified the server, and for the trusted root certificate authority, I selected the DigiCert signed certificate tied to EAP in ISE.

Now it is working.

View solution in original post

Aref Alsouqi · ‎02-03-2024

Why would you want to encapsulate EAP-TLS within PEAP? we usually use PEAP to protect EAP-MSCHAPv2 as the inner EAP type. I think you can simply change the supplicant settings on your machines to be EAP-TLS instead of PEAP and that will achieve the same result securely. To do so, please go to your supplicant and change the "Choose a network authentication method" to be "Microsoft Smart Card or other certificate", and then from the "Settings" tab apply the required settings similar to what you shared in the settings file.

jmorton1 · ‎02-03-2024

I have been basically trying anything that would work, so PEAP with inner EAP-TLS was just a combination I had tried, and it did not work. I also have tried just using TLS and then specifying the certificate to use and the server, as well as not specifying the certificate to use (and only specifying the server)

Aref Alsouqi · ‎02-04-2024

Please try not specifying the server and see if that works at least to trying to locate where the issue is. Also, did you try this with multiple endpoints or only one PC? another thing I would recommend would be updating the NIC drivers on the endpoints you are testing with as it could potentially cause issues similar to these.

jmorton1 · ‎02-05-2024

This has been observed n at least two different endpoints. I have tried without the server and hit an issue.

Arne Bier · ‎02-05-2024

Is your ISE EAP Cert really signed by Digicert?

Who/what is signing your PC computer certs?

I would start by simplifying things

- Use Certificate auth (not PEAP)

- don't put too many checks in there for the trusted CA, and the name of the ISE server. Add those checks in later once you have a working system

Whoever/whatever CA signed the PC client machine certs must be installed in ISE as a Trusted CA Certificate

jmorton1 · ‎02-05-2024

Yes, the ISE cert is definitely signed by DigiCert since we must submit a request to them each year for that purpose. That certificate is used for all purposed except for SAML (it makes us use something else).

As far as a computer certificate, the only thing I see is a self-signed certificate that I am guessing created itself when the PC was imaged?

Do we have to have every computer being issued a computer certificate by a certificate authority? If so, we do have an internal CA that could be set up to do this.

Arne Bier · ‎02-05-2024

The idea with EAP-TLS is that the server uses a cert to identify itself with clients (hence why clients must have a way to trust the ISE EAP Cert - ideally by having the CA Cert Chain installed on the client) - and also, ISE must trust the certs of the supplicants (and the best way to do this is to install the CA Cert Chain of the CA that signed the supplicants' certs - if they are self-signed then you have a scalability issue - each PC computer cert must be installed in ISE - that's not sensible - instead, use an internal CA (Microsoft CA) to create those certs. Microsoft Server with Group Policy is built for this purpose. PCs can be made to auto enrol when they join the domain. A job for the Windows Server folks.

Getting EAP-TLS working in an enterprise usually means testing this thing out with a single computer at first, and then developing the Group Policy to do this automatically. This includes enabling the Windows WiredAutoConfig service, configuring the Ethernet 802.1X supplicant correctly, and installing the Trusted CA Cert (if not exist in PC) that was used to sign the ISE EAP System cert.

jmorton1 · ‎02-05-2024

Thank you! After reading over what you wrote, I was able to figure out what needed to be done, and I now have a working solution. Here is what I did:

In Group Policy Management, I went under Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Policies and set up a policy for the Computer certificate type. This automatically creates and enrolls a certificate signed by our Internal CA.
I uploaded the Root Certificate for our internal CA to the Trusted Certificates in ISE.
For the Authentication settings in windows, I selected Microsoft: Smart Card or other Certificate (EAP-TLS), Verify the Server's Identity checked, specified the server, and for the trusted root certificate authority, I selected the DigiCert signed certificate tied to EAP in ISE.

Now it is working.