Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ISE certificate-authentication stops working when chaning Windows User account password

Hello

 

We have certificate-based authentication through ISE. 

 

The issue is, clients who have certificate installed, when they change their local windows user account password,  after that their certificate authentication fails and they can not connect to network using their certificate.  

 

Then we have to reinstall their certificates . this means each time users change their win password, we have to also reinstall their certificates

 

 

Any advice, why it happening such ?

14 REPLIES

 Any instructions ?

 

Any instructions ?

Cisco Employee

Certificate authentication

Certificate authentication and standard AD username/password are separate and should not be affecting one another. A few questions:

1. What happens to the certificate after the user changes the password? Is the certificate still present in the certificate store?

2. What is the error message that you see in ISE? Post screen shot(s) of the live authentication screen and the details page

3. Post screenshots of your AAA policies in ISE (authentication and authorization)

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

Actually we are not using AD,

Actually we are not using AD,  clients are in workgroup environment.

And yes the certificate is present in the certificate store  after the users changes his win password.

Actually we don't get any error message on the ISE,  while the users try to connect to network, no msg displays on ISE authentication page at all.  it means the client doesnot send even any auth messages to ise as soon as he changes his win account password

 

 

 

Are the certs machine certs ?

Are the certs machine certs ? Are you installing the cert in the machine store in windows ?

Hello, CSRs are generated as

Hello,

 

CSRs are generated as client-machine certifcates, and are being signed by our own private CA Windows-Server. and they are importerted to clients local-user & Loca-Machine certificate-store.

 

The certificates are used for wireless

 

NAD is the WLC , Version 7.4

 

Cisco Employee

Before I can provide more

Before I can provide more help I will also need:

1. What is the error message that you see in ISE? Post screen shot(s) of the live authentication screen and the details page

2.. Post screenshots of your AAA policies in ISE (authentication and authorization)

Thank you for rating helpful posts!
Cisco Employee

Hmm, ISE should still get a

Hmm, ISE should still get a log weather or not the supplicant/client responds to the Radius challenge. So from what you are describing the client is not even starting the EAPoL process.

So I have a few more questions:

1. How are CSRs generated, who signs them and how are the certificates installed on the endpoints

2. Is this for wireless or wired

3. Please provide a screenshot of ISE's authentication and authorization policies

4. What is the make, model and version of the NADs that you are using

5. Confirm that you are trying to perform EAP-TLS based authentication

 

Thank you for rating helpful posts!

Sounds like you are using

Sounds like you are using user certificates ? otherwise those two things should not be related at all.

Cisco Employee

Hi Jan, I am not that

Hi Jan, I am not that proficient with AD/Workgroups so can you explain how changing a user password can affect a user certificate?

Thank you for rating helpful posts!
U E
New Member

Hi 

Hi 

I know this thread is from a long time ago but I was wondering if anyone could offer any assistance. We recently installed CISCO ASA devices and we are having the same issues as this. We have installed user certs for client authentication and most but not every time the user updates his windows password we get certificate validation error and the user appears to lose access to his private key although if i look on the security tab of the key the user is still the owner. The only way we can then get the client to connect again is to re-install the cert and reboot the machine. The cert is in the user personal store.

has anyone else come across this kind of issue??

Thanks in advance 

It happens with those users

It happens with those users having administrative rights with thier win account profiles. Limited account users may not face such issues when changing thier win user passwords

U E
New Member

Hi and thanks for getting

Hi and thanks for getting back to me it is much appreciated

The users were this is happening to are just standard domain users not admins

Can you clarify exactly what you mean by administrative rights within the user account profiles

sorry to be a pain

I was getting same issue with

I was getting same issue with those users whose windows account had aministrative priviledge who were in workgroup

However limited users do not face with such issues even if they change thier password. 

U E
New Member

Think our issue may be a bit

Think our issue may be a bit different then as non of the users who are having the issues have administrative rights. They are all just domain users they reset the password then on next any connect login the receive the error "certificate validation error"

Thanks for getting back to me though 

242
Views
0
Helpful
14
Replies
CreatePlease to create content