AgentP and certificates

In this topic, you will learn what certificates AgentP installs on Windows computers in its different operating modes.

What is the computer certificate store and the user certificate store?

There are two places where a Windows system stores certificates: the computer certificate store (managed using the Manage computer certificates control panel) and the user certificate store (managed using the Manage user certificates control panel). The computer certificate store is accessible as soon as the operating system is running, even when there is no logged-in user. The user certificate store is accessible for the specific logged-in user. For example, if the user kosh is logged in, neither this user nor the operating system can access the certificates in the user certificate store that belongs to the user ulkesh, or the other way around.

This gives two ways of authenticating the endpoint on a network. A certificate from the computer store guarantees that this is a specific device (for example, a company device). A certificate from the user store guarantees that a specific user is logged on to this device and lets you adjust network access depending on the privileges of that user.

What are computer certificates and user certificates?

In addition to the two different certificate stores, there are also two common names used to describe the types of certificates: user certificates and computer certificates (or device certificates). These names apply not to the store where the certificate is located, but rather to the information that is in the certificate.

For example, a user certificate may have the user’s email address in the Subject field, or in one of the SAN (Subject Alternative Name) fields, such as the email field. This way, the application or system that checks this certificate can verify that this is a certificate that was issued for this specific user.

On the other hand, a computer/device certificate may have the device ID or another unique identifier of the device in the Subject field or one of the SAN fields, such as the Distinguished Name. This way, the application or system that checks this certificate can verify that this certificate was issued for the specific device, and not an individual user.

Note: While the computer certificate store is primarily for computer certificates, and the user certificate store is for user certificates, there is no limitation as to the types of certificates in each store. You can have user certificates in the computer store and computer certificates in the user store.

How does AgentP use computer and user certificates?

On Windows, AgentP can run in one of three operating modes:

  • Single-user mode: Network access will be based on user certificates only (from the user store and the computer store) because no computer certificates are available. This means that when the user logs out, the computer maintains access to the network with the credentials of the last user that was logged in (using the certificate of that user).

    Note: This is the default mode if Portnox Cloud uses a repository that doesn’t support computer accounts (such as Google Workspace and Okta Workforce Identity), or if your tenant was created before March 18, 2024 (see below).

    Example: The tenant Vorlon is integrated with Google Workspace.

    1. The user Kosh (kosh@vorlon.com) logs in to the computer (for the first time).
      1. Kosh has no access to the secure network, so he connects to a guest SSID.
      2. Kosh onboards AgentP using their Google Workspace credentials.
      3. AgentP installs Kosh’s user certificate.
      4. The computer now has secure network access with Kosh’s privileges.

    2. Kosh logs out of the computer. The computer, in the background, still has secure network access with Kosh’s privileges (using his user certificate from the computer store).

    3. The user Ulkesh (ulkesh@vorlon.com) logs in to the same computer (for the first time).
      1. Ulkesh has no access to the secure network, so he connects to a guest SSID.
      2. Ulkesh onboards AgentP using their Google Workspace credentials.
      3. AgentP installs Ulkesh’s user certificate.
      4. The computer now has secure network access with Ulkesh’s privileges.

    4. Ulkesh logs out of the computer. The computer still has network access in the background with Ulkesh’s privileges (using his user certificate from the computer store).

  • Multi-user mode: Network access will be based on the user certificate of the logged-in user (from the user store), and when no user is logged in, on the computer certificate (from the computer store).

    Note: This is the default mode if Portnox Cloud uses a repository that integrates with the Windows operating system (Microsoft Azure/Entra ID or Active Directory), and the tenant was created after March 18, 2024 (see below).

    Example: The tenant Vorlon is integrated with Microsoft Azure (Entra ID).

    1. The user Kosh (kosh@vorlon.com) logs in to the computer with their Entra ID credentials.
      1. Microsoft Intune automatically installs AgentP and onboards it using the credentials that Kosh used to log in to the computer.
      2. AgentP installs Kosh’s user certificate in the user store and the computer certificate in the computer store.
      3. The computer now has secure network access with Kosh’s privileges.

    2. Kosh logs out of the computer. The computer still has network access in the background with privileges based on the computer certificate installed earlier.

    3. The user Ulkesh (ulkesh@vorlon.com) logs in to the same computer with their Entra ID credentials.
      1. Microsoft Intune automatically onboards AgentP using the credentials that Ulkesh used to log in to the computer.
      2. AgentP installs Ulkesh’s user certificate in the user store.
      3. The computer now has secure network access with Ulkesh’s privileges.

    4. Ulkesh logs out of the computer. The computer still has network access in the background with privileges based on the computer certificate installed earlier.

  • Kiosk mode: Network access will be based only on the certificate from the computer store. Certificates in the user stores will be ignored.

    Note: This mode must be activated manually. It is only available if Portnox Cloud uses a repository that supports computer accounts (Microsoft Azure/Entra ID or Active Directory)

    Example: The tenant Vorlon is integrated with Microsoft Azure (Entra ID).

    1. The computer Sigma957 is a kiosk computer.
      1. The administrator logs in to the computer with the administrator account, installs AgentP, and onboards it using their own Entra ID credentials.
      2. AgentP installs the administrator’s user certificate in the user store and the computer’s (sigma957.vorlon.com) certificate in the computer store.

    2. The administrator switches AgentP to kiosk mode and logs out of the computer. Since the administrator is logged out, their user certificate is no longer accessible.

    3. The administrator logs in the local kiosk account.

    4. Sigma937 now has network access with privileges based on the computer certificate installed earlier.

What certificates does AgentP install?

Independent on which mode you choose, AgentP prepares the computer for all operating modes and installs certificates in the computer store and the user store:

  • If you created your tenant on March 18, 2024 or later and if your tenant is integrated with Active Directory or Azure, AgentP installs the following certificates:

    • A user certificate in the user certificate store. If AgentP is running in the single-user mode, it installs this certificate only once, during enrollment. If AgentP is running in the multi-user mode, it installs the current user’s certificate in the user store every time a new user logs in. If AgentP is running in the kiosk mode, it installs this certificate during enrollment but never uses it.

    • A computer certificate in the computer certificate store. This certificate can be used in multi-user mode by the network adapter when no user is logged in to maintain Internet access so that AgentP can connect to the Portnox Cloud when another user logs in and obtain information necessary to onboard that user.

  • If you created your tenant on March 17, 2024 or earlier, or if your tenant is integrated with non-Microsoft authentication repositories, AgentP installs the following certificates:

    • A user certificate in the user certificate store. If AgentP is running in the single-user mode, it installs this certificate only once, during enrollment. If AgentP is running in the multi-user mode, it installs the current user’s certificate in the user store every time a new user logs in. If AgentP is running in the kiosk mode, it installs this certificate during enrollment but never uses it.

    • The currently logged-in user’s certificate in the computer certificate store. This certificate can be used in multi-user mode by the network adapter when no user is logged in to maintain Internet access so that AgentP can connect to the Portnox Cloud when another user logs in and obtain information necessary to onboard that user.

    Note: If you want to use a computer certificate instead (recommended), like the tenants created after March 18, 2024, please open a support ticket and ask us to enable AgentP computer certificates in multi-user mode for your tenant.

What is the 802.1X authentication mode setting?

When you configure a group in Portnox Cloud, you come across a setting called 802.1X authentication mode :

These options let you decide how AgentP configures the network adapter when connecting to the secure network:

  • Computer authentication only: AgentP configures the network adapter to always use the certificate from the computer store. This means that the network adapter will use the same certificate when there is no logged-in user, and when a user is logged in, independent of what user is logged in. This setting should only be used when running AgentP in kiosk mode.

  • User authentication only: AgentP configures the network adapter to use the certificate from the user store only. This means that when there is no logged-in user, the computer will not be able to access the networks protected by Portnox Cloud. When a user is logged in, the network adapter will use the certificate of the logged-in user. This setting should only be used for dedicated company devices used by one person only.

  • User and computer authentication (Recommended): AgentP configures the network adapter to use the certificate from the computer store when there is no logged-in user, and a certificate from the user store when a user is logged in. You can also use this setting for personal devices and for kiosk devices. This lets you switch between different modes of operation without the need to reconfigure Portnox Cloud.

Note: AgentP installs the certificates described above independent on this setting. Even if you, for example, select Computer authentication only, AgentP will still install a user certificate in the user certificate store when you enroll. It will simply not use that certificate when configuring the network adapter.