Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4770
Views
0
Helpful
8
Replies

ISE and GPO Certificates

garmoz
Level 1
Level 1

‎03-25-2018 01:35 AM - edited ‎02-21-2020 10:51 AM

 

Hi,

Customers' Site implemented Cisco Identity Services Engine, Release 2.3.2
We are using GPO in order to use Wired-DOT1X,
Each computer enrolls the certificate from Microsoft CA server and uses the PEAP-EAP-TLS to authenticate machine and user.

We have an issue with some workstations (Windows 7) in our domain, some machines uses MSCHAPv2 instead of PEAP-EAP-TLS, although they receive the correct GPO,

and if we run "gpupdate /force"it will work again.. but will change but after a while..

why would the workstations loses it's defenitions?

How can we resolve that?

 

thanks a lot!

 

 

Labels:
0 Helpful
8 Replies 8

agrissimanis
Level 1
Level 1

‎03-25-2018 12:08 PM - edited ‎03-25-2018 12:12 PM

Have a look at this post. It is a list of 802.1X related hot-fixes for Windows. One of the hot-fixes is supposed to resolve behavior similar to what you are seeing.

I have seen the same issue happen for machine authentications at boot, when Windows attempts to use PEAP for auth first and then immediately retries with EAP-TLS. I never really put much effort in trying to fix the problem because the actual impact in our case was just cosmetic, that is ISE auth logs contain some failed PEAP auth entries, immediately followed by successful EAP-TLS ones.

Your scenario might be different though - exactly when do you see the failures, and is it only for machine auth or for user auth as well?

0 Helpful

omer shtivi
Level 1
Level 1
In response to agrissimanis

‎03-26-2018 12:45 AM

We have installed the related patches.

We see the issue happens when the user perform a login it use MSCHAP instead of the TLS

0 Helpful

agrissimanis
Level 1
Level 1
In response to omer shtivi

‎03-26-2018 01:22 AM

I guess it does not happen if you manually configure EAP-TLS on the client, without group policy?

Try moving a test client to a new OU, isolated from other policies. Then configure 802.1X settings in a new, separate policy and see if the issue happens again

0 Helpful

garmoz
Level 1
Level 1
In response to agrissimanis

‎03-27-2018 12:26 AM

we tried to isolate a specific machine with those polices only, no success. when we "gpupdate /force" the machine will communicate fine with the right encryption, but after a while it will lose that and communicate back with MSCHAPv2... thanks,
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to agrissimanis

‎03-26-2018 08:09 AM

How is the supplicant configured? Can you post screenshots of each windows?

0 Helpful

garmoz
Level 1
Level 1
In response to nspasov

‎03-27-2018 12:30 AM

attaching related policies definitions.

 

thanks,

Preview file
88 KB
Preview file
80 KB
0 Helpful

ajc
Level 7
Level 7

‎03-26-2018 01:52 PM - edited ‎03-26-2018 01:53 PM

Have you check if the profile is actually deployed into the Win 7 devices at least??. I have tested before and even though I do have the certificate properly installed on the laptop, if I removed the profile then it always tries PEAP. So once I configure back manually that profile (which was originally pushed using GPO) into the laptop, everything works as expected BUT the profile has to indicate something like the following. Important to mention that EAP-TLS is a 2-way authentication using certs so VALIDATE SERVER CERTIFICATE is a must.

 

PROFILE:

 

PROFILE1.pngPROFILE2.pngPROFILE3.png

 

 

 

0 Helpful

garmoz
Level 1
Level 1
In response to ajc

‎04-08-2018 02:19 AM

Hi,
There is a Wireless profile configured with GPO, the settings attached on the post above,

thanks,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents