cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
493
Views
5
Helpful
5
Replies

Wireless network profile via GPO for EAP-TLS with certififcates

iran
Level 1
Level 1

Hello,

I would like to ask support in the following scnario.

I am using Cisco ISE to authentication my wireless endpoints using EAP-TLS with USER certificates.
I configured a GPO for the Wireless network profile, and the endpoints are receiving the GPO. However the clients are not connecting automatically, when I select the SSID manually it is requesting for User/Pass or certificate.
When I select the certificate manually I can connect successfully.

I would like to validate if someone have already used a GPO to authenticate wireless laptops with USER certifcate for EAP-TLS.

My configurations:

iran_0-1729118127074.pngiran_1-1729118141622.pngiran_2-1729118163396.pngiran_3-1729118210412.png

 






 

5 Replies 5

Not a 100% sure, but could it be because you have "Enable Single Sign On for this network" enabled? could you please try to disable that option and see if it makes any difference?

Greg Gibbs
Cisco Employee
Cisco Employee

You have 'Verify the server's identity...' enabled, but it does not look like you have selected the Root CA to trust under 'Trusted Root Certificate Authorities' (I'm guessing ROOTCA01 is your root). You need to select your root CA(s) to trust.

You should also configure the Advanced settings on that page to define the criteria for certificate selection so the supplicant knows which user cert to present for 802.1x if there are multiple certificates in the user store.

 

Hello Greg,

Thank you so much for the quick reply.
Just one remark, I think the problem is in my GPO, because when i try to connect manually to the SSID, I requested to insert user/pass or certificate and if I select the certificate I can authenticate successfully, and later always connect automatically.

Sorry in the previous image it was hidden, actually I have selected it. I have it listed twice, this is why I only selected one.

iran_0-1729200807316.png

Regarding "Advanced settings" exactly where?
This config below was disabled by default, I enabled just to troubleshoot and selected my Root CA and my SUB CA.

iran_1-1729201074464.png

Hera in advance settings I have:

iran_2-1729201198642.png

 

 




Yes, that is the correct configuration for the Certificate Issuer. That instructs the supplicant to present the certificate signed by the selected CA for 802.1x (you should only have one user certificate that matches this condition, otherwise there could still be issues with the selection).

You should also disable the Single Sign On configuration as previous suggested.

If you are still having issues, you will likely need to ensure that the GPO is getting pushed correctly to the endpoint and ensure the User certificate is showing correctly in the User's personal store.

Thank you so much.

I will try to do it.
Just few questions.
1- In the Certificate Issuer configurations, should I select both (Root CA and Sub CA), or just the Sub CA?
2- Do you know exactly what is the purpose of Single Sign On configuration, for what I have been investigating this feature is to force after a user logs into Windows, the system automatically connect to the wireless network.

Thank you in advance