Security

last person joined: 11 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TLS working for some not for others. Help!

  • 1.  EAP-TLS working for some not for others. Help!

    Posted Mar 15, 2019 12:32 PM

    Hey All

    New here.

     

    So, let's get into it.

     

    We have a:

    • Trusted CA
    • a subordinate CA
    • a Server 2016 NPS server
    • and WPA2 Enterprise security on our wireless.

     

    We are using computer certificates to authenticate the PC and allow wifi access. GPO pushing wifi authentication settings (no auto connect)

     

    So, to give a quick description of the issue we're seeing. Its only happening to some users, and not to others:

     

    On my computer - everything works as expected.  I get a cert, I can connect. I delete the cert, I can no longer connect. Cool.

     

    On my colleagues computer with the same GPO, and a requested computer certificate - he is prompted for a certificate and a username.  The simple certificate list does not show his computer certificate at all (It does show user-certificates, not to mention it shouldnt prompt for a username)

     

    All I see on the local machine for failures in event log for one of these impacted users is:  6105 - deauth after EAPOL key exchange sequence

    I see the same error if I delete my certificate and try to authenticate.

     

    When the impacted user tries to authenticate, I see nothing on the NPS logs.

     

    At a bit of a loss here and would appreciate any help.

     

    Here's some pics of my settings (Network policy and GPO Settings): https://imgur.com/a/5uGZ4yY

     

     

     

     



  • 2.  RE: EAP-TLS working for some not for others. Help!

    Posted Mar 16, 2019 02:10 PM

    Why do you check the Called Station ID ?



  • 3.  RE: EAP-TLS working for some not for others. Help!

    Posted Mar 18, 2019 06:32 AM

    Have you verified if the computers with issues did actually receive the computer certificate?

    Have you verified that your group policy (which sets computer authentication) is actually applied to those machines? Did you do a 'gpupdate /force' on the problematic systems?

     

    It looks to me that either one of these conditions causes the errors.

     

    What also may be useful is, to get better understanding, to do a packet capture and see if there is a client cert sent and rejected, or the cert isn't sent at all.



  • 4.  RE: EAP-TLS working for some not for others. Help!

    Posted Mar 18, 2019 09:17 AM

    Hey Herman

     

    Thanks for the reply, appreciate it -- Certs are definitely enrolled (currently manually enrolled, not auto enrolled) and GPO is 100% applied as per gpresult.

     

    It looks like I have this sorted out though.. Seems to be just a small subset of machines having trouble where a wider test has been majorily successful.

     

    I'm not sure whats causing it on this subset of machines though -  Again, they definitely have the GPO and the certificate. Any idea what might cause it?



  • 5.  RE: EAP-TLS working for some not for others. Help!

    Posted Mar 18, 2019 10:02 AM

    One more small thing may be the time-sync/time zone. All devices that do something with certificates (client, servers) should be within minutes time-synced.



  • 6.  RE: EAP-TLS working for some not for others. Help!

    Posted Mar 18, 2019 10:12 AM

    Hey Herman

     

    Timezone/Time-sync are all good. 

     

    As mentioned before, the impacted users are prompted for a cert + username (but the certs listed are NOT the machine cert assigned) almost like something is overriding the GPO.

     

    (as a contrast, if I remove the GPO, a functioning machine will ask for username and password, but also accept a certificate authentication)



  • 7.  RE: EAP-TLS working for some not for others. Help!

    Posted Apr 05, 2019 01:00 PM

    do you have found the solution ?



  • 8.  RE: EAP-TLS working for some not for others. Help!

    Posted Apr 05, 2019 03:51 PM

    Sort of but not really? Seems to be a handful of peoples computers - but not everyone is impacted.

     

    If I put that user on a fresh machine with a fresh cert, it works fine, so this case can likely be closed. I'll have to fight with GPO or whatever is impacting these individuals

     

    Thanks for the checkin



  • 9.  RE: EAP-TLS working for some not for others. Help!

    Posted Mar 18, 2019 09:16 AM

    Heya - So as to the Call Station ID question - we're utilizing this to have different authentication types against different SSIDs