Once again I'm hitting this community for some potential answers. I am attempting to setup 802.1x authentication using certificate on a "wired" Windows 10 host against Forescout as the RADIUS server. Forescout does not have great documentation on how this should be done on the Windows side. Currently, Meraki support verified that the Windows 10 test host I have is not sending 802.1x auth attempts and failing over to MAC address bypass directly.
On the Meraki switch side, just to verify nothing is setup wrong, I have an access policy under switching/access policies:
- my RADIUS server with the Forescout's host IP port 1812 and shared secret -> verified to work
- RADIUS testing enabled
- RADIUS CoA enabled
- RADIUS accounting with the Forescout's host IP port 1813 and shared secret
- RASIUS attribute specifying group policy name: None
- Host Mode: Single-Host -> I have just a laptop attached to a switch port
- Access policy type: Hybrid authentication
- Guest VLAN: our guest vlan ID of 133
- Failed Auth VLAN: None
- Re-authentication Interval: None
- Critical Auth VLAN: None
- Voice VLAN client: Bypass authentication
- URL redirect walled garden: disabled
- Systems Manager enrollment: disabled
I believe the above works, I am not clear regarding what settings should be on the Windows 10 host side, even with Forescout's professional service help. I have our internal CA's root cert loaded in Forescout, as well as on the Windows 10 host. Windows 10 host is configured with these settings under the Authentication tab of the Ethernet NIC:
- Enable IEEE 802.1X authentication
- Choose a network authentication method: "Microsoft: Smart Card or other certificate"
- Verify the server's identity by validating the certificate unchecked
Under "Microsoft: Smart Card or other certificate" Advanced setting:
- Use a certificate on this computer with Certificate Issuer being our internal root CA's cert
- Extended Key Usage (EKU) checked
- All Purpose unchecked, Client Authentication checked, AnyPurpose unchecked
Please advise, thank you.