AgentP and certificates

In this topic, you will learn what certificates AgentP installs on Windows computers in its different operating modes.

What is the computer certificate store and the user certificate store?

There are two places where a Windows system stores certificates: the computer certificate store (managed using the Manage computer certificates control panel) and the user certificate store (managed using the Manage user certificates control panel). The computer certificate store is accessible as soon as the operating system is running, even when there is no logged-in user. The user certificate store is accessible for the specific logged-in user. For example, if the user kosh is logged in, neither this user nor the operating system can access the certificates in the user certificate store that belongs to the user ulkesh, or the other way around.

This gives two ways of authenticating the endpoint on a network. A certificate from the computer store guarantees that this is a specific device (for example, a company device). A certificate from the user store guarantees that a specific user is logged on to this device and lets you adjust network access depending on the privileges of that user.

What are computer certificates and user certificates?

In addition to the two different certificate stores, there are also two common names used to describe the types of certificates: user certificates and computer certificates (or device certificates). These names apply not to the store where the certificate is located, but rather to the information that is in the certificate.

For example, a user certificate may have the user’s email address in the Subject field, or in one of the SAN (Subject Alternative Name) fields, such as the email field. This way, the application or system that checks this certificate can verify that this is a certificate that was issued for this specific user.

On the other hand, a computer/device certificate may have the device ID or another unique identifier of the device in the Subject field or one of the SAN fields, such as the Distinguished Name. This way, the application or system that checks this certificate can verify that this certificate was issued for the specific device, and not an individual user.

Note: While the computer certificate store is primarily for computer certificates, and the user certificate store is for user certificates, there is no limitation as to the types of certificates in each store. You can have user certificates in the computer store and computer certificates in the user store.

How does AgentP use computer and user certificates?

On Windows, AgentP that was installed in unattended mode can configure Windows to authenticate users and/or computers by using one of four operating modes, depending on the following settings:

  • Settings > Services > GENERAL SETTINGS > AgentP Enrollment Policy > Enable AgentP Multi-User: Turns the multi-user mode on or off
  • Settings > Services > GENERAL SETTINGS > AgentP Enrollment Policy > Install computer certificate: Controls whether the computer keeps using the last user’s certificate after logout or uses a dedicated computer certificate.
  • Groups > group_name > Group Settings > 802.1X Wired/Wireless network access > Advanced Configuration > 802.1X authentication mode: Controls which Windows certificate store is used to authenticate users and computers.

The four modes are as follows:

  • Single-user mode

    (Recommended for computers with a single user that do not need to maintain secure network access when the user is logged out)

    This mode is achieved by using the following settings:

    • Enable AgentP Multi-User:  ☐; 
    • Install computer certificate:  ☐; 
    • 802.1X authentication mode: User authentication only

    Network access will be based only on user certificates from the user certificate store. This means that when the user logs out, the computer loses access to the secure network. The NAS will then try to connect using MAB (MAC Authentication Bypass), but if MAB authentication fails, the computer must have another network available so it can stay connected and allow a different user to sign in.

  • User-based multi-user mode

    (Recommended for computers with a single user that need to maintain secure network access when the user is logged out)

    This mode is achieved by using the following settings:

    • Enable AgentP Multi-User:  ☑ 
    • Install computer certificate:  ☐; 
    • 802.1X authentication mode: User or computer authentication (Recommended)

    Network access will be based on user certificates only (from the user store and the computer store) because no computer certificates are available. This means that when the user logs out, the computer maintains access to the network with the credentials of the last user that was logged in (using the certificate of that user).

    Note: This is the default mode if Portnox Cloud uses a repository that doesn’t support computer accounts (such as Google Workspace and Okta Workforce Identity), or if your tenant was created before March 18, 2024.

    Example: The tenant Vorlon is integrated with Google Workspace.

    1. The user Kosh (kosh@vorlon.com) logs in to the computer (for the first time).
      1. Since this is the first-ever log-in, Kosh has no access to the secure network, so he connects to a guest SSID.
      2. Kosh onboards AgentP using their Google Workspace credentials.
      3. AgentP installs Kosh’s user certificate.
      4. The computer now has secure network access with Kosh’s privileges.

    2. Kosh logs out of the computer. The computer, in the background, still has secure network access with Kosh’s privileges (using his user certificate from the computer store).

    3. The user Ulkesh (ulkesh@vorlon.com) logs in to the same computer (for the first time).
      1. Ulkesh has no access to the secure network, so he connects to a guest SSID.
      2. Ulkesh onboards AgentP using their Google Workspace credentials.
      3. AgentP installs Ulkesh’s user certificate.
      4. The computer now has secure network access with Ulkesh’s privileges.

    4. Ulkesh logs out of the computer. The computer still has network access in the background with Ulkesh’s privileges (using his user certificate from the computer store).

    5. Kosh logs back in to the computer. The computer still has network access in the background with Ulkesh's privileges, so AgentP can re-enroll Kosh and immediately reconnect to the network using Kosh’s privileges.

  • Multi-user mode:

    (Recommended for most implementations)

    This mode is achieved by using the following settings:

    • Enable AgentP Multi-User:  ☑ 
    • Install computer certificate:  ☑ 
    • 802.1X authentication mode: User or computer authentication (Recommended)

    Network access will be based on the user certificate of the logged-in user (from the user store), and when no user is logged in, on the computer certificate (from the computer store).

    Note: Multi-user mode only applies when AgentP is installed in unattended (auto-enroll) scenarios. Enabling multi-user does not alter certificate distribution or impact devices already enrolled in single-user mode. Existing single-user devices continue to function as before, while new or reactivated devices can take advantage of multi-user behavior.
    Note: This is the default mode if Portnox Cloud uses a repository that integrates with the Windows operating system (Microsoft Entra ID or Active Directory), and the tenant was created after March 18, 2024.

    Example: The tenant Vorlon is integrated with Microsoft Entra ID.

    1. The user Kosh (kosh@vorlon.com) logs in to the computer with their Entra ID credentials (for the first time).
      1. Since this is the first-ever log-in, Kosh has no access to the secure network, so he connects to a guest SSID.
      2. AgentP automatically onboards Kosh on the basis of the logged-in Entra ID identity.
      3. AgentP installs Kosh’s user certificate in the user store and the computer’s certificate in the computer store. Then, it connects to the network with Kosh’s user certificate.
      4. The computer now has secure network access with Kosh’s privileges.

    2. Kosh logs out of the computer. The computer still has network access in the background with privileges based on the computer certificate installed earlier.

    3. The user Ulkesh (ulkesh@vorlon.com) logs in to the same computer with their Entra ID credentials (for the first time).
      1. Since this is the first-ever log-in, Ulkesh has no access to the secure network, so he connects to a guest SSID.
      2. AgentP automatically onboards Ulkesh on the basis of the logged-in Entra ID identity.
      3. AgentP installs Ulkesh’s user certificate in the user store and connects to the network using this certificate.
      4. The computer now has secure network access with Ulkesh’s privileges.

    4. Ulkesh logs out of the computer. The computer still has network access in the background with privileges based on the computer certificate installed earlier.

    Important:

    Because of how Windows handles certificates in the user and computer stores, if a network adapter is set to user or computer mode, a device will not use a certificate from the computer store while a user is logged in. This means that when a new user logs in to the device for the first time and tries to onboard with AgentP, the device has no certificate to authorize the user on the network.

    There are two workarounds to this problem:

    • Option 1: Quarantine VLAN

      1. Create a quarantine VLAN on the NAS device and configure Portnox Cloud so that users who fail network authentication still have access to the Internet, or only to specific FQDNs, as listed here: How to set up the firewall for AgentP to connect to Cloud.

      2. Ask the new user to try to connect to the corporate network on the device. The device will be placed in this quarantine VLAN, but AgentP will have access to the Internet or to Portnox Cloud servers only, so it will be able to onboard the new user.

      3. After AgentP is onboarded, ask the new user to disconnect from the corporate network and connect again. The device now has the user certificate, so it will authenticate with the network and will no longer be placed in the quarantine VLAN.

    • Option 2: Guest network

      1. Ask the new user to connect to the company guest network. AgentP will have access to the Internet, so it will be able to onboard the new user.

      2. After AgentP is onboarded, ask the new user to disconnect from the guest network and connect to the corporate network. The device now has the user certificate, so it will authenticate with the network.

    Important: Remember that both the user account and the computer account must belong to the appropriate Portnox Cloud groups that control network access. If you use this mode, make sure the computer accounts are also assigned to a correctly configured group that allows network access.

  • Kiosk mode

    (Recommended for kiosk computers only with no dedicated users)

    Network access will be based only on the certificate from the computer store. Certificates in the user stores will be ignored.

    Note: This mode does not require any specific settings in Portnox Cloud, and it must be activated manually by configuring AgentP. It is only available if Portnox Cloud uses a repository that supports computer accounts (Microsoft Entra ID or Active Directory)

    Example: The tenant Vorlon is integrated with Microsoft Entra ID.

    1. The computer Sigma957 is a kiosk machine.

      1. An administrator signs in (or performs this process via Intune), installs AgentP in unattended kiosk mode, and onboards the device.
      2. During onboarding, AgentP installs the administrator’s user certificate into the user certificate store and the computer’s certificate sigma957.vorlon.com into the computer certificate store.

    2. The administrator configures Windows into Assigned Access (kiosk) mode using a dedicated local standard user account. Then, the administrator signs out. Because the administrator’s user certificate is in the user store, and the administrator is logged out, that certificate is no longer accessible for network authentication.

    3. A kiosk user signs in to the local kiosk account (the Assigned Access user account) from the Windows logon screen.

    4. Sigma957 connects to the network using the computer certificate from the computer store. In kiosk mode, only the computer store certificate is used; any certificates in the user store are ignored by AgentP and the operating system.

What certificates does AgentP install?

Independent on which mode you choose, AgentP prepares the computer for all operating modes and installs certificates in the computer store and the user store:

  • If you created your tenant on March 18, 2024 or later or you turned on the Install computer certificate option, and if your tenant is integrated with Active Directory or Entra ID, AgentP installs the following certificates:

    • A user certificate in the user certificate store. If AgentP is running in the single-user mode, it installs this certificate only once, during enrollment. If AgentP is running in the multi-user mode, it installs the current user’s certificate in the user store every time a new user logs in. If AgentP is running in the kiosk mode, it installs this certificate during enrollment but never uses it.

    • A computer certificate in the computer certificate store. This certificate can be used in multi-user mode by the network adapter when no user is logged in to maintain Internet access.

  • If you created your tenant on March 17, 2024 or earlier, if you turned off the or you turned on the Install computer certificate option, or if your tenant is integrated with non-Microsoft authentication repositories, AgentP installs the following certificates:

    • A user certificate in the user certificate store. If AgentP is running in the single-user mode, it installs this certificate only once, during enrollment. If AgentP is running in the multi-user mode, it installs the current user’s certificate in the user store every time a new user logs in. If AgentP is running in the kiosk mode, it installs this certificate during enrollment but never uses it.

    • The currently logged-in user’s certificate in the computer certificate store. This certificate can be used in multi-user mode by the network adapter when no user is logged in to maintain Internet access.

What is the 802.1X authentication mode setting?

When you configure a group in Portnox Cloud, you come across a setting called 802.1X authentication mode :

These options let you decide how AgentP configures the network adapter when connecting to the secure network:

  • Computer authentication only: AgentP configures the network adapter to always use the certificate from the computer store. This means that the network adapter will use the same certificate when there is no logged-in user, and when a user is logged in, independent of what user is logged in.

  • User authentication only: AgentP configures the network adapter to use the certificate from the user store only. This means that when there is no logged-in user, the computer will not be able to access the networks protected by Portnox Cloud. When a user is logged in, the network adapter will use the certificate of the logged-in user.

  • User or computer authentication (Recommended): AgentP configures the network adapter to use the certificate from the computer store when there is no logged-in user, and a certificate from the user store when a user is logged in. You can also use this setting for personal devices and for kiosk devices. This lets you switch between different modes of operation without the need to reconfigure Portnox Cloud.

Note: AgentP installs the certificates described above independent on this setting. Even if you, for example, select Computer authentication only, AgentP will still install a user certificate in the user certificate store when you enroll. It will simply not use that certificate when configuring the network adapter.