09-30-2024 12:47 PM
I am trying to setup Machine authentication, where it actually validates the machine certificate, I have a PKI infrastructure, that pushes certificates to the machines, with there name in Common Name, and SAN, of the machine hostname.
On they Certificate Profile i have enabled CRL, and added both Root and intermediate CA, and set username to subject, and then i have enabled the 4 "block session" checkmarks.
As soon as i enable the "Block sessions if the certificate was not issued to the authenticating device", i cannot login and GP gives me an error that i need a valid certificate.
I have also tryed adding the domain and Certificate template, but that did not help
Firewall is 1410, running 11.1.4-h1, agent running 6.3.1
Any idear on what i am dooing wrong ?
10-01-2024 04:44 PM - edited 10-01-2024 04:45 PM
How are you implementing your client certificates? The Host ID certificate check references a unique ID on the machine retrieved from the GP client and a serial number in the subject of the certificate. You can see the unique IDs it references per host OS in the manual here in the "Host ID" section:
So for a Windows machine the subject has to include the MachineGuid from the registry. It is not the machine name (CN) that most people would make their client certificates from. It is an optional field and basically no one normally creates a cert with a serial number. (Note this is not the serial number of the certificate itself, this is a serial number in the subject of the cert).
So a normal internal machine certificate for machine "mylaptop.example.local" would have a subject like:
CN = mylaptop
OU = EmployeePCs
DC = example
DC = local
I haven't done this before, but I believe you need to create an internal client certificate with a subject like this:
CN = mylaptop
serialNumber = c828ea23-62ab-9a3d-56a90ecb2027
OU = EmployeePCs
DC = example
DC = local
This requires redoing your PKI certificate templates to create the new cert form automatically during your AD joining/etc.
10-02-2024 01:11 AM
In what part of of the certificate should this be added to the CN or SAN. the CN can to ny knowledge only contain one name which is usally the FQDN.
if it is added to the SAN, in what format
GUID = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (Like Cisco ISE)
Serial = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Can this be used without HIP ?
10-02-2024 04:07 AM
Serial of the machine is usally different from Machine ID, should i use the serial or the Machine ID ? so should it be
host id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
