Hello, On Thu, 6 Mar 2025, at 20:48, Sam Yun wrote: > > Is there a reason y'all are using an emulated smart card (which > apparently doesn't work)? Why not install a TLS cert on the Windows > client and update the profile to use that cert(s)?
We knew Windows would only utilise the MSK and did not see too much value doing interop on a the same certificate store. If there was going to be EMSK it would have added a helpful datapoint. As for the smart card, it made this 'exciting' work a little more palatable :) > We do run interop testing between Windows + Clearpass, where we do > tls[machine], tls[user] and Windows + ISE, where we do tls[user], > tls[machine]. So I can confirm those two combinations do work in > production today. IIRC ISE only works with the "allow downgrade to MSK" check box ticked. The concern ultimately is that the wording of 7170 has lead to multiple interpretations of how to generate the crypting-bindings for the inner methods when you have an MSK and a MSK/EMSK for each and of course wish to use the EMSK. It is clear what to do for EMSK+EMSK and MSK+MSK but this wording has created three separate non-interoperating implementations. Cheers Alex _______________________________________________ Emu mailing list -- emu@ietf.org To unsubscribe send an email to emu-le...@ietf.org
