Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
507
Views
0
Helpful
3
Replies

ISE 2.1 - Ise default patch to search a machine/user certificate

redes_noc
Level 1
Level 1

‎09-18-2017 07:22 AM - edited ‎02-21-2020 10:34 AM

Dear all,

 

I have a ISE that uses authentication via certificate (AD) to autheticate the machines.
The problem is that we have some developers that use other "local certificates" and they are in the same folder as the ISE looks for the certificate and sometimes the machine stops to authenticate for that reason.

Question: Is it possible to do something, like changing the default folder that ISE looks for the certificate on the machine? Or any other way to have more than one certificate in "Certificates -> Personal" without one error in ISE?

 

 

Thanks!

Labels:
0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎09-18-2017 05:42 PM

ISE doesn't search the certificate "folders" on the machine - it's determined by the client.  During EAP-TLS the supplicant (e.g. your Windows PC) will identify itself to ISE by presenting a X.509 certificate that is configured in the Windows supplicant config.  You can narrow this down by telling WIndows exactly which cert and from which store (machine/personal) you want to use.

0 Helpful

redes_noc
Level 1
Level 1
In response to Arne Bier

‎09-19-2017 06:29 AM

Ok, but then I have two certificates inside of "Certificates --> personal" the ISE sometimes accept the machine to entry in network and sometimes no. How can I resolve that?

 

For a limitation, the developer team need create some certificates inside this "certificate folder" in windows machine:

"Certificates --> personal"

And when they do this, ISE are confusing.

 

Could you help me? @Arne Bier

0 Helpful

Arne Bier
VIP
VIP
In response to redes_noc

‎09-21-2017 03:38 PM

I see.  This is something only the supplicant can influence.

Is there any attribute that uniquely distinguishes the two certs? e.g. different issuing CA, or some EKU values that are different.

If you're using Windows 7/8/10 then go to Network Authentication Method (Microsoft: Smart card or other certificate", click Settings, and you can uncheck the "Use simple certificate selection" checkbox in the 802.1x supplicant config.  And then click on Advanced button and select the Certificate Issuer cert and intermediate cert, and then any EKU (Extended Key Usage) attributes.  If you're lucky you might be able to make the selection such that WIndows always selects the correct one.

 

0 Helpful
Customers Also Viewed These Support Documents