We have certificate-based authentication through ISE.
The issue is, clients who have certificate installed, when they change their local windows user account password, after that their certificate authentication fails and they can not connect to network using their certificate.
Then we have to reinstall their certificates . this means each time users change their win password, we have to also reinstall their certificates
Any advice, why it happening such ?
Certificate authentication and standard AD username/password are separate and should not be affecting one another. A few questions:
1. What happens to the certificate after the user changes the password? Is the certificate still present in the certificate store?
2. What is the error message that you see in ISE? Post screen shot(s) of the live authentication screen and the details page
3. Post screenshots of your AAA policies in ISE (authentication and authorization)
Thank you for rating helpful posts!
Actually we are not using AD, clients are in workgroup environment.
And yes the certificate is present in the certificate store after the users changes his win password.
Actually we don't get any error message on the ISE, while the users try to connect to network, no msg displays on ISE authentication page at all. it means the client doesnot send even any auth messages to ise as soon as he changes his win account password
CSRs are generated as client-machine certifcates, and are being signed by our own private CA Windows-Server. and they are importerted to clients local-user & Loca-Machine certificate-store.
The certificates are used for wireless
NAD is the WLC , Version 7.4
Before I can provide more help I will also need:
1. What is the error message that you see in ISE? Post screen shot(s) of the live authentication screen and the details page
2.. Post screenshots of your AAA policies in ISE (authentication and authorization)
Hmm, ISE should still get a log weather or not the supplicant/client responds to the Radius challenge. So from what you are describing the client is not even starting the EAPoL process.
So I have a few more questions:
1. How are CSRs generated, who signs them and how are the certificates installed on the endpoints
2. Is this for wireless or wired
3. Please provide a screenshot of ISE's authentication and authorization policies
4. What is the make, model and version of the NADs that you are using
5. Confirm that you are trying to perform EAP-TLS based authentication
Hi Jan, I am not that proficient with AD/Workgroups so can you explain how changing a user password can affect a user certificate?
I know this thread is from a long time ago but I was wondering if anyone could offer any assistance. We recently installed CISCO ASA devices and we are having the same issues as this. We have installed user certs for client authentication and most but not every time the user updates his windows password we get certificate validation error and the user appears to lose access to his private key although if i look on the security tab of the key the user is still the owner. The only way we can then get the client to connect again is to re-install the cert and reboot the machine. The cert is in the user personal store.
has anyone else come across this kind of issue??
Thanks in advance
It happens with those users having administrative rights with thier win account profiles. Limited account users may not face such issues when changing thier win user passwords
Hi and thanks for getting back to me it is much appreciated
The users were this is happening to are just standard domain users not admins
Can you clarify exactly what you mean by administrative rights within the user account profiles
sorry to be a pain
I was getting same issue with those users whose windows account had aministrative priviledge who were in workgroup
However limited users do not face with such issues even if they change thier password.
Think our issue may be a bit different then as non of the users who are having the issues have administrative rights. They are all just domain users they reset the password then on next any connect login the receive the error "certificate validation error"
Thanks for getting back to me though