11-09-2020 11:37 AM - edited 07-05-2021 12:46 PM
Hello all.
Could you tell me more details about troubleshooting 802.1x authentication with a certificate?
My topology is:
Microsoft Windows Server with Radius Server <------> WLC 5520 Controller <------> AP access point <------>Client laptop.
The goal is to be able to authenticate the Client laptop with a certificate using 802.1x standard
But the problem is with GPO in Microsoft Server to force accept 802.1x authentication with a certificate only one client laptop machine.
But something is wrong.
From where I can start to troubleshoot?
I suspect WPA2 enterprise with domain user name and password is work 802.1x authentication but how can I be sure in that the certificate is used too?
The behavior now is to accept all machines in the domain with domain user name and password.
Someone with experience with this?
I will be happy to receive your comments and advices.
Thanks.
Best regards!
11-11-2020 06:30 AM
You don’t check that from the WLC, instead, check the NPS logs.
it seems you need to do dual auth (machine cert + user name/pass) this is not supported by NPS, this is supported by using Cisco ISE as the radius server and AnyConnect NAM as client (NAM supported only on Windows PCs) then if you have that you can use EAP-chaining and ISE will auth the clients based on those two factors.
11-11-2020 12:24 PM
How is your Windows supplicant configured? Do you have User Auth, Machine Auth, or User/Machine Auth?
I am pretty sure you can get EAP-TLS working in NPS - the approach would be to first do it manually (not using GPO) and when you have the client device (supplicant) configuration correct, then translate that logic into GPO and push out.
Do you want to perform any additional lookups in AD on the NPS server (e.g. check if the user is a member of an AD Group), or just use the cert for authentication?
I am not an NPS guy (more of an ISE/Clearpass guy). You don't need EAP chaining to make this work - standard Windows supplicant is enough.
NPS is quite hard to troubleshoot - in my experience I had to go to the CLI, run some debug command to enable logging and then find some obscure log file with the output. The Windows Server Event Viewer only shows limited information.
11-12-2020 06:30 AM
Hi Arne, Is there a (Working scenario) to check both machine cert and any other check from AD by not using ISE EAP chaining or MAR? I really doubt. If I’m wrong, please let me know…
11-12-2020 12:47 AM - edited 11-12-2020 12:48 AM
Hello all, thank you for joining in the discussion.
I find this guide for Microsoft Server 2008:
https://networklessons.com/uncategorized/peap-and-eap-tls-on-server-2008-and-cisco-wlc/Could you confirm that the logic is the same and in the new WLC controllers and new MS Servers as in old WLC controllers and MS Servers?
In the guide, the EAP+TLS is implemented manually.
I don't know how to automatize the certificate enrolment on the client-side.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide