ISE, Certificates and Caching Users

Hi all,

I am trying to implement EAP-FAST with MSCHAPv2 as inner method and so only the client connecting should have to validate the server certificate. This is succeding and failing very randomly it seems and I cannot help thinking that this might be because the client/server is caching something somewhere.

So do anyone of you know if:

-the windows machine is caching the ISE servers information anywhere?

-ISE is caching the endpoint information anywhere? I delete the EndPoints in the identity store just to make sure its removed, but it seems as ISE is still caching it somehow.

Current setup now: Using Cisco AnyConnect NAM v 4.2 with NAM Profile editor where I specified to validate the ISE certificate, and on the windows 7 machine itself I made sure that all certificates are deleted (except a VeriSign on as this is required for AnyConnect to work). The weird thing is that the EAP-FAST connection still comes up? WHY? It does not make sence! It is specified that the client needs to validate the ISE certificate before the connection is allowed.

I even had it the other way around - the ISE certificate and the RootCA certificate was locally installed on the WinClient but ISE keep saying that the client was rejecting the ISE's certificate and the connection was down - even though both the client and ISE cert thumbprint matched and all other validation methods passed. Ahh.. 

Comments

  • Are you doing machine authentication, user authentication, or both?

    In EAP-FAST you need a certificate on the server only for security reasons, if you want the PAC provisioning to be authenticated,which means on the client side you just need to import the CA certificate, not ISE certificate.

    It could be couple of problems: CA certificate was not imported in the proper store, it has to be in the Root store on client side, or you have a missconfiguration in the NAM profile, or other things.

    Post the error messages that you get on ISE, and also print-screens from the NAM profile configuration.

     

  • Sure, here are the pictures of the ISE error message and the NAM profile settings.

    image

     

    image

    image

    image

    image

     

    image

     

    image

    I remade the NAM profile and applied it, added the CA certificate in the user store Trusted Root Certificate Authority (physical store is registry), made sure that the CA Thumbprint on ISE matches that which has been installed on the Client. ...and it is still not working.

  • Assuming also ISE is configured for authenticated PAC provisioning, you sure that the CN of ISE certificate is 'ise.corp.com'? and something like 'ISE.corp.com' may cause problems. First, try to remove from NAM profile the 'certificate trusted server rule' of matching on the CN and see if it works.

  • Setting up PAC provisioning on ISE... mhmmm... Cannot say I have done that. I will read up.

    The CN of ISE, the username and password on the images provided are not correct. I am using a corporate test network, and I am not sure how happy management would be if I posted the real CN of any of the devices. 

    I updated the NAM profile to do exactly as before except validating the ISE certificate. Then the client was restarted and the authentication still fails with the same error message as before: "Client rejected the server certificate". 

  • Whatever you put on the client side to validate ISE's certificate, like ISE CN, has to match whatever ISE CN is in your test environment; after enrolling ISE in PKI, have you configured ISE to use that certificate for EAP, as this is an additional step; it will also not hurt to restart ISE. On ISE you just need to ensure that in the authentication profile it allows for authenticated PAC provisioning.

    Try this:

    1. use unathenticated PAC provisioning to see if it works, to exclude any other problems.

    2. move again to authenticated PAC provisioning, remote the CN rule to see if client just trusts the CA that issued certificate to ISE; ensure you save the XML file on the client as configuration.xml, restart the client, also look in the proper folder for this file and verify that what you have configured it was actually applied

    3. once step 2 works, add a rule to validate the certificate of ISE, but ensure the CN matches correctly; is ISE CN in the format of 'ise.corp.com', all smalls, or is it like "ISE.corp.com" or any other varation which uses capitals?

     

  • OK, I am using the default network access list which already specifies that authenticated PAC provisioning can be used. And the system cert is set to be used for EAP.

    1. How do you use unauthenticated PAC? Is this the "don't use PACs" in "Allowed protocols", uncheck the "Use PACs" in the NAM profiler, or something else?

    2. This is done, and for the XML file, I change the name of the profile every time I make a new one to be sure that the proper profile is loaded.   

    And now the strange part. The setup you asked me to make with removing the "client needs to trust the server cert" is now working. So I did as you requested in your last post, went for a run, had lunch, and now that I came back it is working. Looking at the RADIUS livelog it says that after almost exacly 30 minutes after I changed the profle, the client was able to connect. In this time period I had restarted the client, shut/no shut the interface on the authenticator, removed the endpoint entry in the ISE certificate store, and still it took 30 min before the machine was able to login. 

    3. Common Name is all lower letters. Do you know if I have to add the ISE certificate in the trusted root certificate authority store on the client, or should it be enough with the CA who signed the ISE cert? 

  • Solved it! 

    The certificate needs to be installed in the Local Machine physical store and not under registry physical store under the Trusted Root CA parent store.

    The reason for beleiving the ISE server was caching info was also solved. When authenticating to the ISE server, the ISE server will send its certificate which the client has to validate/not validate (depending on NAM profile). For some reason, the ISE server just stops sending this, and as the client has nothing to validate, it will not be able to either authenticate or be deauthenticated. This is why I still was able to be authenticated even though I had deleted EVERY certificate on the supplicant, restarted the supplicant, added a new networking profile that was faulty, and so on.  

    This was solved by using Event Viewer with the custom Cisco NAM view that gets configured when you install Cisco AnyConnet NAM. Here I could see that the supplicant was not able to find the ISE Certifiaces root CA even tohugh it was located in the Trusted Root CA store. And I could also veryfy that the ISE just stopped sending certificates when the supplicant tried to authenticate itself. Restarting the ISE server fixed the issue of ISE not sending its system certificate to the supplicant.

    Event viewer is awesome! 

Sign In or Register to comment.