Windows 802.1x auth using certificate against Forescout

Solved
ronnieshih75
Building a reputation

Windows 802.1x auth using certificate against Forescout

Once again I'm hitting this community for some potential answers.  I am attempting to setup 802.1x authentication using certificate on a "wired" Windows 10 host against Forescout as the RADIUS server.  Forescout does not have great documentation on how this should be done on the Windows side.  Currently, Meraki support verified that the Windows 10 test host I have is not sending 802.1x auth attempts and failing over to MAC address bypass directly.

 

On the Meraki switch side, just to verify nothing is setup wrong, I have an access policy under switching/access policies:

- my RADIUS server with the Forescout's host IP port 1812 and shared secret -> verified to work

- RADIUS testing enabled

- RADIUS CoA enabled

- RADIUS accounting with the Forescout's host IP port 1813 and shared secret

- RASIUS attribute specifying group policy name:  None

- Host Mode:  Single-Host -> I have just a laptop attached to a switch port

- Access policy type:  Hybrid authentication

- Guest VLAN:  our guest vlan ID of 133

- Failed Auth VLAN:   None

- Re-authentication Interval:  None

- Critical Auth VLAN:  None

- Voice VLAN client:  Bypass authentication

- URL redirect walled garden:  disabled

- Systems Manager enrollment:  disabled

 

 

I believe the above works, I am not clear regarding what settings should be on the Windows 10 host side, even with Forescout's professional service help.  I have our internal CA's root cert loaded in Forescout, as well as on the Windows 10 host.  Windows 10 host is configured with these settings under the Authentication tab of the Ethernet NIC:

- Enable IEEE 802.1X authentication

- Choose a network authentication method:  "Microsoft:  Smart Card or other certificate"

- Verify the server's identity by validating the certificate unchecked

Under "Microsoft:  Smart Card or other certificate" Advanced setting:

- Use a certificate on this computer with Certificate Issuer being our internal root CA's cert

- Extended Key Usage (EKU) checked

- All Purpose unchecked, Client Authentication checked, AnyPurpose unchecked

 

 

Please advise, thank you.

1 Accepted Solution
ronnieshih75
Building a reputation

Thank you for the articles.

 

I found the issues eventually myself.  The endpoint test laptop did not have certificate meant for client/server authentication from our internal CA installed.  Also our Forescout server did not have the intermediate certs from the subordinate CA servers.  After that, I also found out that on the endpoint, I had to configure authentication to do "Computer authentication" only because user was getting tried and that's not what I want.  THEN, I found out on the Forescout or RADIUS server, a different cert was getting hit.  So I had to reconfigure the client end to use that cert instead.  802.1x EAP-TLS authentication then started working.

View solution in original post

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

Check this article:

 

https://www.securew2.com/blog/complete-guide-to-windows-802-1x

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

It's the correct article:

 

 

https://www.virtualizationhowto.com/2018/12/configure-windows-10-for-802-1x-user-authentication/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

The most common issue I run into is that the windows service "Wired AutoConfig" has not been changed from "Manual" to "Automatic" startup.  My guess is this is why you are not seeing the machine attempt to authenticate.

 

Is ForeScout using a public certificate?  If not, you'll "probably" need to get a copy of their publiuc CA certificate and add it to the Windows "Trusted Root Certification Authorities".

ronnieshih75
Building a reputation

Thank you for the articles.

 

I found the issues eventually myself.  The endpoint test laptop did not have certificate meant for client/server authentication from our internal CA installed.  Also our Forescout server did not have the intermediate certs from the subordinate CA servers.  After that, I also found out that on the endpoint, I had to configure authentication to do "Computer authentication" only because user was getting tried and that's not what I want.  THEN, I found out on the Forescout or RADIUS server, a different cert was getting hit.  So I had to reconfigure the client end to use that cert instead.  802.1x EAP-TLS authentication then started working.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels