Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1453
Views
0
Helpful
8
Replies

Wied 802.1X Using Certificate

Go to solution
jmorton1
Level 1
Level 1

‎02-02-2024 03:26 PM

We are looking to implement wired 802.1X, but we would like to use a certificate to authenticate so that users do not have to authenticate, especially on desktops shared by staff. We tried to implement this using PEAP with EAP-TLS for the inner tunnel s well as EAP-TLS and TEAP with EAP-TLS as the inner tunnel, but nothing we are doing seems to be working. I have attached a document that shows the 802.1X authentication settings that I tried to put in place on a windows 11 workstation, the log showing the failure in ISE, as well as the settings in ISE, as well as the switch configuration. Most of our switches are Catalyst 2960-X switches. Has anyone ever successfully rolled out something like this?

NOTE: I have omitted portions of the switch config to hide any proprietary information.

Preview file
500 KB
Preview file
1095 KB
Preview file
79 KB
Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmorton1
Level 1
Level 1
In response to Arne Bier

‎02-05-2024 07:18 PM

Thank you! After reading over what you wrote, I was able to figure out what needed to be done, and I now have a working solution. Here is what I did:

  1. In Group Policy Management, I went under Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Policies and set up a policy for the Computer certificate type. This automatically creates and enrolls a certificate signed by our Internal CA.
  2. I uploaded the Root Certificate for our internal CA to the Trusted Certificates in ISE.
  3. For the Authentication settings in windows, I selected Microsoft: Smart Card or other Certificate (EAP-TLS), Verify the Server's Identity checked, specified the server, and for the trusted root certificate authority, I selected the DigiCert signed certificate tied to EAP in ISE.

Now it is working.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Aref Alsouqi
VIP
VIP

‎02-03-2024 09:27 AM

Why would you want to encapsulate EAP-TLS within PEAP? we usually use PEAP to protect EAP-MSCHAPv2 as the inner EAP type. I think you can simply change the supplicant settings on your machines to be EAP-TLS instead of PEAP and that will achieve the same result securely. To do so, please go to your supplicant and change the "Choose a network authentication method" to be "Microsoft Smart Card or other certificate", and then from the "Settings" tab apply the required settings similar to what you shared in the settings file.

0 Helpful

Go to solution
jmorton1
Level 1
Level 1
In response to Aref Alsouqi

‎02-03-2024 07:40 PM

I have been basically trying anything that would work, so PEAP with inner EAP-TLS was just a combination I had tried, and it did not work. I also have tried just using TLS and then specifying the certificate to use and the server, as well as not specifying the certificate to use (and only specifying the server)

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to jmorton1

‎02-04-2024 03:57 AM

Please try not specifying the server and see if that works at least to trying to locate where the issue is. Also, did you try this with multiple endpoints or only one PC? another thing I would recommend would be updating the NIC drivers on the endpoints you are testing with as it could potentially cause issues similar to these.

0 Helpful

Go to solution
jmorton1
Level 1
Level 1
In response to Aref Alsouqi

‎02-05-2024 12:11 PM

This has been observed n at least two different endpoints. I have tried without the server and hit an issue.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎02-05-2024 12:00 PM

Is your ISE EAP Cert really signed by Digicert?  

Who/what is signing your PC computer certs?

I would start by simplifying things

- Use Certificate auth (not PEAP)

- don't put too many checks in there for the trusted CA, and the name of the ISE server. Add those checks in later once you have a working system

Whoever/whatever CA signed the PC client machine certs must be installed in ISE as a Trusted CA Certificate

0 Helpful

Go to solution
jmorton1
Level 1
Level 1
In response to Arne Bier

‎02-05-2024 12:10 PM

Yes, the ISE cert is definitely signed by DigiCert since we must submit a request to them each year for that purpose. That certificate is used for all purposed except for SAML (it makes us use something else).

As far as a computer certificate, the only thing I see is a self-signed certificate that I am guessing created itself when the PC was imaged?

Do we have to have every computer being issued a computer certificate by a certificate authority? If so, we do have an internal CA that could be set up to do this.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jmorton1

‎02-05-2024 01:35 PM

The idea with EAP-TLS is that the server uses a cert to identify itself with clients (hence why clients must have a way to trust the ISE EAP Cert - ideally by having the CA Cert Chain installed on the client) - and also, ISE must trust the certs of the supplicants (and the best way to do this is to install the CA Cert Chain of the CA that signed the supplicants' certs - if they are self-signed then you have a scalability issue - each PC computer cert must be installed in ISE - that's not sensible - instead, use an internal CA (Microsoft CA) to create those certs. Microsoft Server with Group Policy is built for this purpose. PCs can be made to auto enrol when they join the domain. A job for the Windows Server folks.

Getting EAP-TLS working in an enterprise usually means testing this thing out with a single computer at first, and then developing the Group Policy to do this automatically. This includes enabling the Windows WiredAutoConfig service, configuring the Ethernet 802.1X supplicant correctly, and installing the Trusted CA Cert (if not exist in PC) that was used to sign the ISE EAP System cert. 

0 Helpful

Go to solution
jmorton1
Level 1
Level 1
In response to Arne Bier

‎02-05-2024 07:18 PM

Thank you! After reading over what you wrote, I was able to figure out what needed to be done, and I now have a working solution. Here is what I did:

  1. In Group Policy Management, I went under Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Policies and set up a policy for the Computer certificate type. This automatically creates and enrolls a certificate signed by our Internal CA.
  2. I uploaded the Root Certificate for our internal CA to the Trusted Certificates in ISE.
  3. For the Authentication settings in windows, I selected Microsoft: Smart Card or other Certificate (EAP-TLS), Verify the Server's Identity checked, specified the server, and for the trusted root certificate authority, I selected the DigiCert signed certificate tied to EAP in ISE.

Now it is working.

0 Helpful
Customers Also Viewed These Support Documents