Security

Reply

EAP-TLS with computer cert + user cert issue

Hi!

 

Not a Clearpass issue, more of a client/PKI/GPO question :)

 

I´m facing this issue where users who have been installing itunes have got a user authentication certificate issued to their user certificate store and is now prompted to choose certificate on WLAN auth.

 

I´ve noticed that in windows 10 microsoft have given you the ability to configure this "use simple selection" further by giving you the option to choose which issuer to choose or even EKUs.

 

However, we are mainly using windows 7 so I need to find a way to promote my user certificate issued by my internal PKI somehow over this Apple certificate. Is there anything neat we can do on the windows 7 WLAN profile? Windows registry? CA certificate template? 

 

Cheers,

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP
Guru Elite

Re: EAP-TLS with computer cert + user cert issue

Windows 7 also has a "simple cert selection" option:  https://social.technet.microsoft.com/Forums/en-US/5e56306a-d963-44df-9e3e-91b18b11c300/what-is-the-exact-criterion-for-use-simple-certificate-selection-recommended-checkbox-?forum=w7itpronetworking



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: EAP-TLS with computer cert + user cert issue

Yeah, the problem with the feature in windows 7 is that you have no more options to configure it with. When it finds two certificates that have "user authentication" I can´t seem to find a way to always make it choose the one from my internal PKI. Or am I missing a knob somewhere?

 

Cheers,

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP

Re: EAP-TLS with computer cert + user cert issue

Ok, so it seems windows7 and earlier are suffering from this issue with "simple certificate selection" not being very smart. If more than one certificate for user authentication is present in the personal store of the computer or user certificate store you will run into issues. Windows doesn´t know which certificate to use and we´ve seen a behaviour that can only be explained by that it chooses on random or prompts the user to choose.

 

This is solved on an OS level from windows 8 and up where you can click "advanced" beside the simple certificate selection part and configure more details on how windows are to choose its client certificate. Among them is the option to choose that it should use the certificate from the internal PKI which is exactly what we want and I bet many others want.

 

Ona GPO level your domain appears to need a domain functional level of 2012 to be able to configure this and push it to the clients.

 

Reference:

https://technet.microsoft.com/en-us/library/jj200227(v=ws.11).aspx

 

Cheers,

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: