Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
1
Helpful
8
Replies

Radius EAP-TLS user authentication not working

SecurityEng99
Level 1
Level 1

‎08-01-2024 07:11 AM - edited ‎08-01-2024 07:12 AM

Hello friends, I configured eap-tls configuration on Cisco ISE using a trusted certificate for both User and Machine for the machine that is in the domain. The machine authentication works fine, but the user authentication didn't work and didn't send anything because I don't see any log on the switch (with a "debug radius authentication) and nothing on ISE Radius logs. I tried to logout and log back in and also tried to restart the machine, but no luck. I'm using physical laptop windows 10 (22H2).  Not sure if this is an issue on the windows or I'm missing something.

FYI, the user authentication is working fine with PEAP (MS-CHAp-V2).

Please let me know if you have any suggestion or advise ?? 

 

8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-01-2024 07:33 PM

Two things to check:

1. How is the native supplicant configured? (Should be for "User or Computer Authentication" with single sign-on.)

2. Have you checked if Microsoft Credential Guard is configured? https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune#enable-credential-guard

0 Helpful

SecurityEng99
Level 1
Level 1
In response to Marvin Rhoads

‎08-05-2024 06:42 AM

Hello @Marvin Rhoads  

1- yes, I tried the Machine authentication and it works fine, but when I switch to User authentication it didn't work.

2- I enabled the "Microsoft Credential Guard" as mentioned in the documentation guide, but it is still not working.

I would say this is definitely a supplicant issue, but not sure about the root cause.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to SecurityEng99

‎08-05-2024 12:50 PM

Credential Guard will cause the native supplicant to fail. It should be disabled unless you switch to certificate-based authentication.

0 Helpful

SecurityEng99
Level 1
Level 1
In response to Marvin Rhoads

‎08-05-2024 12:59 PM

I'm using the smartcard or certificate option. In the additional setting, I'm using the User authenticatiion.

SecurityEng99_0-1722887928128.png

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to SecurityEng99

‎08-06-2024 02:08 AM

If you are not seeing the authentication at all in ISE, then the supplicant must not be sending it.

Double check that your additional setting is using either a. User Authentication or b. User or Computer Authentication. Like this:

MarvinRhoads_0-1722935272283.png

 

0 Helpful

MHM Cisco World
VIP
VIP

‎08-05-2024 01:00 PM

PEAP ms-chap is work 

Eap-tls not work

That meaning the endpoint trust server cert. But the server not trust endpoint cert.

Check the CA of both cert. It must issuer from different CA 

Then check CA cert. In radius one CA cert. Is missing 

MHM

0 Helpful

SecurityEng99
Level 1
Level 1
In response to MHM Cisco World

‎08-05-2024 01:05 PM

EAP-TLS for Machine authentication works (Cert-based)

EAP-TLS for User authentication is not working  (Cert-based)

0 Helpful

MHM Cisco World
VIP
VIP
In response to SecurityEng99

‎08-05-2024 01:25 PM

User Cert. check the CA issuer or sub in radius server

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card