Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
7
Helpful
5
Replies

Wireless network profile via GPO for EAP-TLS with certififcates

iran
Level 1
Level 1

‎10-16-2024 03:37 PM

Hello,

I would like to ask support in the following scnario.

I am using Cisco ISE to authentication my wireless endpoints using EAP-TLS with USER certificates.
I configured a GPO for the Wireless network profile, and the endpoints are receiving the GPO. However the clients are not connecting automatically, when I select the SSID manually it is requesting for User/Pass or certificate.
When I select the certificate manually I can connect successfully.

I would like to validate if someone have already used a GPO to authenticate wireless laptops with USER certifcate for EAP-TLS.

My configurations:

iran_0-1729118127074.pngiran_1-1729118141622.pngiran_2-1729118163396.pngiran_3-1729118210412.png

 






 

0 Helpful
5 Replies 5

Aref Alsouqi
VIP
VIP

‎10-17-2024 02:47 AM

Not a 100% sure, but could it be because you have "Enable Single Sign On for this network" enabled? could you please try to disable that option and see if it makes any difference?

Greg Gibbs
Cisco Employee
Cisco Employee

‎10-17-2024 02:09 PM - edited ‎10-17-2024 02:09 PM

You have 'Verify the server's identity...' enabled, but it does not look like you have selected the Root CA to trust under 'Trusted Root Certificate Authorities' (I'm guessing ROOTCA01 is your root). You need to select your root CA(s) to trust.

You should also configure the Advanced settings on that page to define the criteria for certificate selection so the supplicant knows which user cert to present for 802.1x if there are multiple certificates in the user store.

 

iran
Level 1
Level 1
In response to Greg Gibbs

‎10-17-2024 02:42 PM

Hello Greg,

Thank you so much for the quick reply.
Just one remark, I think the problem is in my GPO, because when i try to connect manually to the SSID, I requested to insert user/pass or certificate and if I select the certificate I can authenticate successfully, and later always connect automatically.

Sorry in the previous image it was hidden, actually I have selected it. I have it listed twice, this is why I only selected one.

iran_0-1729200807316.png

Regarding "Advanced settings" exactly where?
This config below was disabled by default, I enabled just to troubleshoot and selected my Root CA and my SUB CA.

iran_1-1729201074464.png

Hera in advance settings I have:

iran_2-1729201198642.png

 

 




Greg Gibbs
Cisco Employee
Cisco Employee
In response to iran

‎10-17-2024 05:46 PM

Yes, that is the correct configuration for the Certificate Issuer. That instructs the supplicant to present the certificate signed by the selected CA for 802.1x (you should only have one user certificate that matches this condition, otherwise there could still be issues with the selection).

You should also disable the Single Sign On configuration as previous suggested.

If you are still having issues, you will likely need to ensure that the GPO is getting pushed correctly to the endpoint and ensure the User certificate is showing correctly in the User's personal store.

iran
Level 1
Level 1
In response to Greg Gibbs

‎10-20-2024 06:31 AM

Thank you so much.

I will try to do it.
Just few questions.
1- In the Certificate Issuer configurations, should I select both (Root CA and Sub CA), or just the Sub CA?
2- Do you know exactly what is the purpose of Single Sign On configuration, for what I have been investigating this feature is to force after a user logs into Windows, the system automatically connect to the wireless network.

Thank you in advance

 

 

0 Helpful
Customers Also Viewed These Support Documents