Security

This is not an Aruba specific question.  Is it possible to influence Windows to select a certain certificate if multiple user certs exist in the user cert store for EAP-TLS authentication?  In testing, I've found that when multiple certs exist, Windows will prompt the user to select a certificate during authentication.  Based on the certs available, the wrong cert could be selected, and the user would fail auth.  Based on the number of users and the fact that this will continue to happen as certs expire, it will be unacceptable to have these prompts.

 

I have "Use simple certificate selection" enabled in Windows, but the issue still persists.  Any ways around this with GPO or registry tweaks?  If not, I may need to look at onboarding the devices instead, which I believe would solve my problem.  The only downside is that user certs won't automatically renew like with other PKI solutions.

Mac OS X does this as well if you don't have a profile installed. It will give you a drop down box for the certificates. 

 

I have not found a solution for this on BYOD devices.

Well that stinks.  Thanks for the input, Tim.

with https you can do something like a CA advertising, so that only the certificates from that CA will be shown. not sure if the same would work for radius, never tested this.

 

of course it doesn't help if you have several certs from the same CA.

I'm having the same issue with a customer. They have certs for both Junos Pulse and CPPM Onboard - both issued to the user. After the Onboard process is completed, the user connects to the secure SSID and is prompted to choose a cert, however windows only displays one of the certs issued to the user, in this case the Junos cert. If we delete the Junos cert, the ClearPass cert becomes available for selection. Any ideas?

do they come from the same CA? not sure how realistic it is to do this but it is more a microsoft then aruba or juniper question, have you any way to ask them via support or such?

I'm a bit fuzzy on this one, but what if you check "use simple certificate
selection" and only a single Trusted Root Certification Authority? Will it
only present the client certificate from that trusted CA?

I´m going to wake this thread up again, I´m facing this issue where users who have been installing itunes have got a user authentication certificate issued to their user certificate store and is now prompted to choose certificate on WLAN auth.

 

I´ve noticed that in windows 10 microsoft have given you the ability to configure this "use simple selection" further by giving you the option to choose which issuer to choose or even EKUs.

 

However, we are mainly using windows 7 so I need to find a way to promote my user certificate issues by my internal PKI somehow over this Apple certificate. Is there anything neat we can do on the windows 7 WLAN profile? Windows registry? CA certificate template?

 

Thankful for input,

Chris

I think your question deserves a new thread due to the iTunes component.  We need to know how your current situation relates to the past thread and how much of that to apply to your current situation.  It is probably better to start from scratch.

Has a new thread been opened? We're having the same issue since two weeks, but just with very new tablet Windows 10 devices.

What is your specific issue?

 

We were able to find the issue in the meantime. It was related to ITunes installing a cert which was used for client authentication to the wireless network. We disabled this
Cert to be used for client authentication, and now the access to wireless does not show any certification prompt anymore.

Thank you
Alexander Rauch

Hi NazgulSE!

 

Was this a configuration in iTunes or on the certificate itself?

 

Cheers,

Hi,

it was a configuration on the certificate itself. You just need to open the Certificate Store on your local computer and look under Personal Certificates. Opening the Properties of the certificate will let you configure the purpose of the certificate where you just need to disable "Client Authentication". We had this issue just on Windows 10 machines, but also not on all of them. We're still trying to find the difference in configuration on group policies.

Ok, thanks!

 

The behaviour we saw on how the OS picked which certificate to authenticate with was very strange. It seemed to be the one most recently used. So if we started iTunes in a session and then rebooted we would see the authentication fail.

 

Microsoft knows the issue and have adressed it in windows 10 and GPOs of latest versions. Check out this thread with an explanation and reference:

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/EAP-TLS-with-computer-cert-user-cert-issue/td-p/268007

 

Cheers,