?
Solved

certificate choice for machine based authentication

Posted on 2014-03-05
12
Medium Priority
?
569 Views
Last Modified: 2014-03-07
Hi,

can any one tell me how to make a certificate the preferred choice for machine based authentication?

I have laptops with 3 or 4 client certs and I need to insure which one is chosen for authentication to the wireless network.

I have read about "weight" but I cant see how to set this up or check it?

Cheers
0
Comment
Question by:Aaron Street
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
12 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39907851
When you say you have laptops with 3 or 4 client certs, do you mean user certs?

You can't have more than one computer certificate from a specific CA per machine, so as long as you set the authentication method to use Computer Authentication it will always use the machine certificate.
0
 
LVL 16

Author Comment

by:Aaron Street
ID: 39907917
umm no i mean computer certs :)

Before my time, but ig you go on our CA, it has about 6 computer certs templates that are all set to autoenroll. So a PC gets turned on and it gets them all.

Most of them are the same apart from the SAN name, but this is where the issue is, I need the principle name to be complete and this is not the case for all of them :(

yes its bad practice and should not be so, but sadly it is legacy and not something I can change over night.
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39907943
If the certificates are autoenrolled with GPO and the autoenrollment is set on default domain policy, you can revoke certificates - then they're removed from computers

And then remove all "bad" certificate templates from CA - create a new working template (or use computer ) and set properties for autoenrollment. In sercurity for certificate template, only let a specific group be able to auto enroll, and then add just some test computers to that group, and test certs ... when all are good - add more computers to group - enroll and connect :)
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 16

Author Comment

by:Aaron Street
ID: 39907965
Yer that would be how to do it, but the issue is going through the hundreds of templates that people have created over the years and working out what is needed and what is not.

Unfortunately our set up is never as simple as "one size fits all", we don't control the users devices as much as we would like,Some so while the process is simple we have to be careful to not upset people. Some applications we have require specific machine certs to be installed that are not linked to the Domain CA and used to authenticate against a specifics workstation or server that is not on the domain. And a few are even used for licencing purposes.

Now i am sure that 99.9% could be resolved, but working in a science institute I know that you have to take each PC individual when you make changes like this. I think this is why Windows 8 allows you to have mutiply Computer certs and manage them more easly.
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 900 total points
ID: 39908784
you can revoke certificates - then they're removed from computers
That's not quite correct - a certificate is revoked but it isn't removed from the certificate store on the client machine.  Think about that - if the cert was revoked and the client wasn't connected to the network how would it know to delete the cert?  It doesn't. (Sorry Jakob :-))

@DevilWAH - you could configure your RADIUS policy to expect to see a certain attribute, or value within an attribute, to determine which certificate you 'want' to be used to authenticate, then as long as Simple Certificate Selection is used (default when you select Computer Authentication) the client should offer the correct certificate to the RADIUS server.
0
 
LVL 22

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 600 total points
ID: 39908847
Yes --- they will be removed, if autoenrollment are configured properly: http://technet.microsoft.com/en-us/library/cc732311%28v=ws.10%29.aspx

"Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box."
But indeed, that requires the client to be online to get the new CRL being aware that its certificate is revoked. Same process as when renewing certs - old ones are removed, replaced with new
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39908921
Hmmm, you're thinking too far ahead, Jakob :-)
0
 
LVL 16

Author Comment

by:Aaron Street
ID: 39908941
craigbeck, oh is did not realise you could do that, I will have to look in to how to do this on CISCO ISE radius.

I basically want to use the cert that has

"principle name contains @company.ac.uk"

Sounds promicing
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39908982
@craigbeck ---- well, that's was all I had to offer :-)
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39908991
Ah good luck with that in ISE... ;-)

You can do it but you might need to create a new Certificate Authentication Profile and a new ID store sequence, then add that sequence to the authentication rule.

I'm not saying these screenshots are exactly what you'll need but they'll help point you in the right direction...

ISE Certificate Authentication Profile
ISE Certificate Authentication Identity Store Sequence
ISE Authentication Rules
0
 
LVL 16

Author Comment

by:Aaron Street
ID: 39910008
You seem to know ISE, so may be you can answer this.

My authentication profile says,

If method is TLS use cert store other wise use AD.

So my machine set up to use certificate authenticates fine.

But my authorization profile tries to match an AD group but returns that machine failed AD authentication? Even though if I set it to use peep/ms-chap it works fine.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39914040
The authorisation profile just sets access based on what the ISE sees in the RADIUS packet, so once authentication is passed you should be able to see what you need to configure based on the authentication result.

To simplify, use a permit all authorisation rule first, then authenticate and check the log in ISE. hen pick out certain attributes to create your authorisation rule and set required permissions on that rule.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question