none
SHA256 Client Certificate (Parallel PKI Infra) Wireless Issue on Windows 7

    質問

  • Hi,

    Our company is planning to replace SHA1 certificates to SHA256 certificates. Our parallel PKI infrastructure using SHA256 is now in place.

    Root and Policy CA are shutdown. Only Issuing CA is online. AIA and CDP were already published. Clients can now get the new SHA256 certificates.

    We are now on the testing phase.

    Our Radius Server is: Cisco ACS

    Current Authentication Method: User Authentication (EAP-TLS using our PKI infrastructure)

    Issue: Clients using Windows 7 cannot connect to our Current SSID but Windows 10 users can connect. Using the old SHA1 certificate, both Windows 7 and 10 users can connect. Windows 7 machines are saying "a certificate is required to connect to <SSID>". even though the certificate is already installed.

    Changing the Authentication from "User" to "Machine" Authentication, the windows 7 laptop responds and attempts to connect on the Cisco ACS. 

    Cisco TAC says

    "ACS is properly configured, but as explained before we are not reaching the TLS handshake between ACS and windows machine since the windows machine is not responding to the WLC EAPOL packet."

    What could be the problem on the windows 7 machine? Do we need to upgrade something?





    • 編集済み avarixia 2017年7月20日 11:53
    2017年7月18日 10:59

すべての返信

  • Hi,

    How did you "install" the subordinate CA certificate after you renewed it? Did you open the Certificate Authority tool, right click the CA/All Tasks/Install CA Certificate? Did you by chance just import the certificate into the computer certificate store and not complete the renewal process by using the Install CA Certificate process in the tool?

    In addition, you can also check this article for reference.

    Upgrade Certification Authority to SHA256

    https://blogs.technet.microsoft.com/pki/2013/09/19/upgrade-certification-authority-to-sha256/

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2017年7月19日 2:26
    モデレータ
  • The PKI Infrastructure issuing the new SHA-2 certificate is completely separate on the legacy PKI which is still active. Everything works out well for the new certificates, now working for a couple of our internal websites for SSL, Fortigates and UC appliances. VPN is working too with the new certificate however the issue is specific for wireless network connectivity and it's working on windows 10 machine, just not for windows 7 machine. 
    2017年7月19日 16:00
  • Hi Tao,

    IM2017 is my colleague, he is the microsoft guy while I'm the network guy :)

    2017年7月20日 11:30
  • Hi, do you see any event log being recorded on Windows 7 machine? Do you have SHA256 root certificate on windows 7 machine?
    2017年7月20日 11:51
  • Hi avarxia,

    From the looks of it, it has every ring the problem is with the Cisco ACS server, given other certificate usage works. Doing a Certutil -verify -urlfetch on the client with an export of the certificate will help confirm this.

    The most obvious thing to check is if the CA certificate for the new PKI has been installed on the ACS server. If that is not the case, the VPN cannot work for the new certificates.

    A good next step if that is the case would be to turn on Netsh tracing. You'll need to read the right Technet Article to turn it on. It will trace the steps for establishing the network and provide a ton of information.

    Kind Regards,

    2017年7月20日 13:33
  • Hi, do you see any event log being recorded on Windows 7 machine? Do you have SHA256 root certificate on windows 7 machine?

    The Windows 7 Machine just says "a certificate is required to connect to <SSID>" even if the client certificate is already installed.

    The root CA is not on the windows 7 machine, just the client certificate from the issuing CA>


    2017年7月20日 14:47
  • Hi avarxia,

    From the looks of it, it has every ring the problem is with the Cisco ACS server, given other certificate usage works. Doing a Certutil -verify -urlfetch on the client with an export of the certificate will help confirm this.

    The most obvious thing to check is if the CA certificate for the new PKI has been installed on the ACS server. If that is not the case, the VPN cannot work for the new certificates.

    A good next step if that is the case would be to turn on Netsh tracing. You'll need to read the right Technet Article to turn it on. It will trace the steps for establishing the network and provide a ton of information.

    Kind Regards,

    Hi,

    All the new SHA256 certificates are installed on the ACS server. Actually the new SHA256 client certificate works fine on a Windows 10 machine when connecting to wireless.

    On the Wireless SSID settings on the Windows 7 Machine:

    1. Using "User Authentication" - Windows 7 Machine does not attempt to connect.  There's a notificiation of "a certificate is required to connect to <SSID>"

    2. Using "Computer Authentication" - Windows 7 Machine attempts to connect but this is not the correct authentication method, we should use "User Authentication".


    2017年7月20日 14:48
  • Hi Avarixia,

    What are the enhanced key usages of the User Authentication certificates (and template)? I've spoken with our resident Cisco expert, and he mentioned that the certificates need Client Authentication enhanced key usage. For user certificates, this is a bit counterintuitive, so it may be something to check.

    If that doesn't work, I'm afraid I'm at a loss too. The only way then I think will be to pursue the TAC case you already have with Cisco and refuse to take no for an answer.

    Kind Regards,

    2017年7月21日 9:51
  • Hi Avarixia,

    What are the enhanced key usages of the User Authentication certificates (and template)? I've spoken with our resident Cisco expert, and he mentioned that the certificates need Client Authentication enhanced key usage. For user certificates, this is a bit counterintuitive, so it may be something to check.

    If that doesn't work, I'm afraid I'm at a loss too. The only way then I think will be to pursue the TAC case you already have with Cisco and refuse to take no for an answer.

    Kind Regards,

    Hi J. Couwenberg,

    Here it is: basically this EKU is the same with our current infrastructure

    Encrypting File System (1.3.6.1.4.1.311.10.3.4)
    Secure Email (1.3.6.1.5.5.7.3.4)
    Client Authentication (1.3.6.1.5.5.7.3.2)

    https://support.microsoft.com/en-us/help/2494172/windows-7-does-not-connect-to-an-ieee-802.1x-authenticated-network-if

    I tried the link above but it doesn't work.

    Here's the summary for the new SHA256 client certificate:

    Network Authenticaton Method 802.1x Authentication Method ACS Log
    Microsoft: Smart Card or Other Certificate User or Computer Authentication
    Microsoft: Smart Card or Other Certificate User Authentication
    Microsoft: Smart Card or Other Certificate Computer Authentication
    Microsoft: Protected EAP (PEAP) User or Computer Authentication
    Microsoft: Protected EAP (PEAP) User Authentication
    Microsoft: Protected EAP (PEAP) Computer Authentication



    2017年7月24日 15:15
  • This is now resolved. Our Microsoft team said they just "recreated the template". 

    I did compare the old and new sha256 certificate templates though

    old=1.3.6.1.4.1.311.21.8.16123435.1100288.872368.3882848.7205000.11.3604151.9056575

    new=1.3.6.1.4.1.311.21.8.16123435.1100288.872368.3882848.7205000.11.1416718.1237055

    • 編集済み avarixia 2017年7月26日 17:15
    2017年7月25日 18:03
  • Having the same issue now - what did the Microsoft team do exactly so I can do it and see if it works.
    2018年6月7日 12:35