08-01-2024 07:11 AM - edited 08-01-2024 07:12 AM
Hello friends, I configured eap-tls configuration on Cisco ISE using a trusted certificate for both User and Machine for the machine that is in the domain. The machine authentication works fine, but the user authentication didn't work and didn't send anything because I don't see any log on the switch (with a "debug radius authentication) and nothing on ISE Radius logs. I tried to logout and log back in and also tried to restart the machine, but no luck. I'm using physical laptop windows 10 (22H2). Not sure if this is an issue on the windows or I'm missing something.
FYI, the user authentication is working fine with PEAP (MS-CHAp-V2).
Please let me know if you have any suggestion or advise ??
08-01-2024 07:33 PM
Two things to check:
1. How is the native supplicant configured? (Should be for "User or Computer Authentication" with single sign-on.)
2. Have you checked if Microsoft Credential Guard is configured? https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune#enable-credential-guard
08-05-2024 06:42 AM
Hello @Marvin Rhoads
1- yes, I tried the Machine authentication and it works fine, but when I switch to User authentication it didn't work.
2- I enabled the "Microsoft Credential Guard" as mentioned in the documentation guide, but it is still not working.
I would say this is definitely a supplicant issue, but not sure about the root cause.
08-05-2024 12:50 PM
Credential Guard will cause the native supplicant to fail. It should be disabled unless you switch to certificate-based authentication.
08-05-2024 12:59 PM
I'm using the smartcard or certificate option. In the additional setting, I'm using the User authenticatiion.
08-06-2024 02:08 AM
If you are not seeing the authentication at all in ISE, then the supplicant must not be sending it.
Double check that your additional setting is using either a. User Authentication or b. User or Computer Authentication. Like this:
08-05-2024 01:00 PM
PEAP ms-chap is work
Eap-tls not work
That meaning the endpoint trust server cert. But the server not trust endpoint cert.
Check the CA of both cert. It must issuer from different CA
Then check CA cert. In radius one CA cert. Is missing
MHM
08-05-2024 01:05 PM
EAP-TLS for Machine authentication works (Cert-based)
EAP-TLS for User authentication is not working (Cert-based)
08-05-2024 01:25 PM
User Cert. check the CA issuer or sub in radius server
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide