Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP-TLS with computer cert + user cert issue

This thread has been viewed 3 times

  • 1.  EAP-TLS with computer cert + user cert issue

    Posted May 27, 2016 08:11 AM

    Hi!

     

    Not a Clearpass issue, more of a client/PKI/GPO question :)

     

    I´m facing this issue where users who have been installing itunes have got a user authentication certificate issued to their user certificate store and is now prompted to choose certificate on WLAN auth.

     

    I´ve noticed that in windows 10 microsoft have given you the ability to configure this "use simple selection" further by giving you the option to choose which issuer to choose or even EKUs.

     

    However, we are mainly using windows 7 so I need to find a way to promote my user certificate issued by my internal PKI somehow over this Apple certificate. Is there anything neat we can do on the windows 7 WLAN profile? Windows registry? CA certificate template? 

     

    Cheers,



  • 2.  RE: EAP-TLS with computer cert + user cert issue

    EMPLOYEE


  • 3.  RE: EAP-TLS with computer cert + user cert issue

    Posted May 27, 2016 08:25 AM

    Yeah, the problem with the feature in windows 7 is that you have no more options to configure it with. When it finds two certificates that have "user authentication" I can´t seem to find a way to always make it choose the one from my internal PKI. Or am I missing a knob somewhere?

     

    Cheers,



  • 4.  RE: EAP-TLS with computer cert + user cert issue
    Best Answer

    Posted May 30, 2016 08:12 AM

    Ok, so it seems windows7 and earlier are suffering from this issue with "simple certificate selection" not being very smart. If more than one certificate for user authentication is present in the personal store of the computer or user certificate store you will run into issues. Windows doesn´t know which certificate to use and we´ve seen a behaviour that can only be explained by that it chooses on random or prompts the user to choose.

     

    This is solved on an OS level from windows 8 and up where you can click "advanced" beside the simple certificate selection part and configure more details on how windows are to choose its client certificate. Among them is the option to choose that it should use the certificate from the internal PKI which is exactly what we want and I bet many others want.

     

    Ona GPO level your domain appears to need a domain functional level of 2012 to be able to configure this and push it to the clients.

     

    Reference:

    https://technet.microsoft.com/en-us/library/jj200227(v=ws.11).aspx

     

    Cheers,