Security

Reply

EAP-TLS Windows Certificate Selection

This is not an Aruba specific question.  Is it possible to influence Windows to select a certain certificate if multiple user certs exist in the user cert store for EAP-TLS authentication?  In testing, I've found that when multiple certs exist, Windows will prompt the user to select a certificate during authentication.  Based on the certs available, the wrong cert could be selected, and the user would fail auth.  Based on the number of users and the fact that this will continue to happen as certs expire, it will be unacceptable to have these prompts.

 

I have "Use simple certificate selection" enabled in Windows, but the issue still persists.  Any ways around this with GPO or registry tweaks?  If not, I may need to look at onboarding the devices instead, which I believe would solve my problem.  The only downside is that user certs won't automatically renew like with other PKI solutions.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: EAP-TLS Windows Certificate Selection

Mac OS X does this as well if you don't have a profile installed. It will give you a drop down box for the certificates. 

 

I have not found a solution for this on BYOD devices.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: EAP-TLS Windows Certificate Selection

Well that stinks.  Thanks for the input, Tim.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.

Re: EAP-TLS Windows Certificate Selection

with https you can do something like a CA advertising, so that only the certificates from that CA will be shown. not sure if the same would work for radius, never tested this.

 

of course it doesn't help if you have several certs from the same CA.

Regular Contributor I

Re: EAP-TLS Windows Certificate Selection

I'm having the same issue with a customer. They have certs for both Junos Pulse and CPPM Onboard - both issued to the user. After the Onboard process is completed, the user connects to the secure SSID and is prompted to choose a cert, however windows only displays one of the certs issued to the user, in this case the Junos cert. If we delete the Junos cert, the ClearPass cert becomes available for selection. Any ideas?
Regards,

Josh
___________
ACMP, ACCP

Re: EAP-TLS Windows Certificate Selection

do they come from the same CA? not sure how realistic it is to do this but it is more a microsoft then aruba or juniper question, have you any way to ask them via support or such?

Re: EAP-TLS Windows Certificate Selection

I'm a bit fuzzy on this one, but what if you check "use simple certificate
selection" and only a single Trusted Root Certification Authority? Will it
only present the client certificate from that trusted CA?
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.

Re: EAP-TLS Windows Certificate Selection

I´m going to wake this thread up again, I´m facing this issue where users who have been installing itunes have got a user authentication certificate issued to their user certificate store and is now prompted to choose certificate on WLAN auth.

 

I´ve noticed that in windows 10 microsoft have given you the ability to configure this "use simple selection" further by giving you the option to choose which issuer to choose or even EKUs.

 

However, we are mainly using windows 7 so I need to find a way to promote my user certificate issues by my internal PKI somehow over this Apple certificate. Is there anything neat we can do on the windows 7 WLAN profile? Windows registry? CA certificate template?

 

Thankful for input,

Chris

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP CWAP
Guru Elite

Re: EAP-TLS Windows Certificate Selection

I think your question deserves a new thread due to the iTunes component.  We need to know how your current situation relates to the past thread and how much of that to apply to your current situation.  It is probably better to start from scratch.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: EAP-TLS Windows Certificate Selection

Has a new thread been opened? We're having the same issue since two weeks, but just with very new tablet Windows 10 devices.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: