Solved: ISE 2.3 certificate authentication behavior

akayal@integra1.net · ‎11-21-2017

Ran into a scenario where users are being prompted in Microsoft to select certificate for authentication (user/workstation). How can this behavior be prevented from happening? Tried implementing authz policies matching group membership (user/computer) and also the certificate template (user/computer) but failed on the template matching. Tried both with the name and OID seen in the cert

Arne Bier · ‎11-21-2017

this is a Windows supplicant configuration issue. If the Windows Supplicant sees more than one client auth then it won't know which one to present to the AAA, hence, the user is prompted.

I have not looked into this for a while - bit rusty on the subject. If you are doing computer auth, then configure your supplicant accordingly (and vice-versa for user auth). This constrains the supplicant to look in that specific part of the cert store only. However if the cert store contains multiple certs, then you might still get the prompts. In the past I used to delete any certs that were not required and that got rid of that issue. There might be a smarter solution

View solution in original post

Arne Bier · ‎11-21-2017

this is a Windows supplicant configuration issue. If the Windows Supplicant sees more than one client auth then it won't know which one to present to the AAA, hence, the user is prompted.

I have not looked into this for a while - bit rusty on the subject. If you are doing computer auth, then configure your supplicant accordingly (and vice-versa for user auth). This constrains the supplicant to look in that specific part of the cert store only. However if the cert store contains multiple certs, then you might still get the prompts. In the past I used to delete any certs that were not required and that got rid of that issue. There might be a smarter solution

akayal@integra1.net · ‎11-22-2017

Machines logged out, identity should be authenticated based on computer certificate

User logs in, identity should be authenticated based on the user certificate

Can't delete multiple certificates they're in place for a reason. When machines are idle off hours they'd be blocked from network resources.

Agree on the supplicant issue but unsure how to address. The dot1x wired policy in GPO

computer settings - policies - windows settings - security settings - wired network 802.3 policies

802.1x enabled

smart card or certificate authentication method

authentication mode: user or computer authentication

I'll test after setting "user authentication" and see what happens to the computer when logged out

Greg Gibbs · ‎11-22-2017

Unfortunately, I don't believe there is a way to resolve this via GPO in Windows 7 because the supplicant itself does not support any type of certificate matching.

The Windows 10 supplicant does now support some capability around certificate matching, so you can specify which certificate to use for 802.1x based upon the Root/Intermediate CA that signed the user cert.

For Windows 7, you would need to look into using a 3rd party supplicant that can do the cert matching for 802.1x. Some customers have evaluated the use of AnyConnect NAM to do this.

akayal@integra1.net · ‎11-22-2017

From GPO wired dot1x settings, you can select certificate then user & computer, user or computer certificate for authentication. Unfortunately selecting user would block the computer when logged out.

How about the first part of the original question. Tried using the "certificate template' attribute in the policy but failed.. If the name of the template was "ISE User" in AD, I tried to apply that but failed. Also noticed the OID was included in the certificate itself, also tried that but failed. Seems to be a legitimate way to differentiate between certificate types but couldn't get it to work.

hslai · ‎11-24-2017

As Arne said, your issue is not related to certificate template matching.

If you are using MS Template name extension v2 (OID 1.3.6.1.4.1.311.21.7) instead of MS Template name extension v1 (OID 1.3.6.1.4.1.311.20.2), then that is addressed by CSCvc05016 in ISE 2.2 FCS and ISE 2.0 Patch 5.

akayal@integra1.net · ‎11-29-2017

Arne was able to troubleshoot this further. Indeed a supplicant issue, very frustrating unsure where to diagnose in windows.

Client has 2 valid certificates in the store that could be used for client authentication. Supplicant is configured to trust the correct CA/SUB-CA, simple certificate selection is enabled, the correct issuer's are selected only allowing the CA/SUB-CA used for identity. Still, some machines prompt the user to select which certificate they would like to use. Really banging my head against the desk on this one. Most windows 10 workstation's work as expected, most windows 7 are prompting. Confirmed the wired dot1x settings are being pushed from GPO properly. Going to call Microsoft tomorrow for assistance debugging in the OS. Hoping to find a registry key that can be edited or isn't being modified properly.

Edit - the 2nd certificate cannot be deleted as a workaround

Greg Gibbs · ‎11-29-2017

I think the problem is that 'simple certificate selection' is not as robust of an option as allowing certificate matching criteria to be specified (as in Windows 10 and some 3rd party supplicants).

I found the following TechNet article that discusses how 'simple certificate selection' works:

https://social.technet.microsoft.com/Forums/windows/en-US/5e56306a-d963-44df-9e3e-91b18b11c300/what-is-the-exact-criterion-for-use-simple-certificate-selection-recommended-checkbox-?forum=w7itpronetworking

It would be interesting to see if MS can provide additional options for the supplicant certificate selection in Win7, so please update this post after your call with them if you don't mind.

akayal@integra1.net · ‎05-07-2018

This wound up being fixed in a hotfix for windows 7

KB Article Number(s): 2710995

Language: All (Global)

Platform: x64

Location: (http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix402830/7600/free/448118_intl_x64_zip.exe)