cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1237
Views
0
Helpful
8
Replies
Beginner

ISE and GPO Certificates

 

Hi,

Customers' Site implemented Cisco Identity Services Engine, Release 2.3.2
We are using GPO in order to use Wired-DOT1X,
Each computer enrolls the certificate from Microsoft CA server and uses the PEAP-EAP-TLS to authenticate machine and user.

We have an issue with some workstations (Windows 7) in our domain, some machines uses MSCHAPv2 instead of PEAP-EAP-TLS, although they receive the correct GPO,

and if we run "gpupdate /force"it will work again.. but will change but after a while..

why would the workstations loses it's defenitions?

How can we resolve that?

 

thanks a lot!

 

 

8 REPLIES 8
Beginner

Re: ISE and GPO Certificates

Have a look at this post. It is a list of 802.1X related hot-fixes for Windows. One of the hot-fixes is supposed to resolve behavior similar to what you are seeing.

I have seen the same issue happen for machine authentications at boot, when Windows attempts to use PEAP for auth first and then immediately retries with EAP-TLS. I never really put much effort in trying to fix the problem because the actual impact in our case was just cosmetic, that is ISE auth logs contain some failed PEAP auth entries, immediately followed by successful EAP-TLS ones.

Your scenario might be different though - exactly when do you see the failures, and is it only for machine auth or for user auth as well?

Beginner

Re: ISE and GPO Certificates

We have installed the related patches.

We see the issue happens when the user perform a login it use MSCHAP instead of the TLS

Highlighted
Beginner

Re: ISE and GPO Certificates

I guess it does not happen if you manually configure EAP-TLS on the client, without group policy?

Try moving a test client to a new OU, isolated from other policies. Then configure 802.1X settings in a new, separate policy and see if the issue happens again

Beginner

Re: ISE and GPO Certificates

we tried to isolate a specific machine with those polices only, no success. when we "gpupdate /force" the machine will communicate fine with the right encryption, but after a while it will lose that and communicate back with MSCHAPv2... thanks,
Cisco Employee

Re: ISE and GPO Certificates

How is the supplicant configured? Can you post screenshots of each windows?

Beginner

Re: ISE and GPO Certificates

attaching related policies definitions.

 

thanks,

ajc Frequent Contributor
Frequent Contributor

Re: ISE and GPO Certificates

Have you check if the profile is actually deployed into the Win 7 devices at least??. I have tested before and even though I do have the certificate properly installed on the laptop, if I removed the profile then it always tries PEAP. So once I configure back manually that profile (which was originally pushed using GPO) into the laptop, everything works as expected BUT the profile has to indicate something like the following. Important to mention that EAP-TLS is a 2-way authentication using certs so VALIDATE SERVER CERTIFICATE is a must.

 

PROFILE:

 

PROFILE1.pngPROFILE2.pngPROFILE3.png

 

 

 

Beginner

Re: ISE and GPO Certificates

Hi,
There is a Wireless profile configured with GPO, the settings attached on the post above,

thanks,