topic ISE Integration with PEAP (Server side Cert) in Network Access Control

ISE Integration with PEAP (Server side Cert)

dharmendra2shah — Mon, 11 Mar 2019 02:42:15 GMT

All,

We are currently evaluating ISE and I am stuck with the PEAP authentication (with Server side Cert).

Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server.

We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations.

I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....

I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert).

Has anyone done this before? If yes then can you share step by step instructions?

I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.)

Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server?

Thanks in Advance

ISE Integration with PEAP (Server side Cert)

Tarik Admani — Mon, 22 Oct 2012 02:34:20 GMT

Answers inline:

Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server. IAS and CA are two seperate roles that a windows server can run, just wanted to clear that up, that the IAS services still need a cert imported/signed for it to present a cert for PEAP server side certificate.

We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations. Good choice much better to control across different platforms

I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....

I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert). You will need to generate a CSR from the ISE server (Go to Administration > Certificates > Local Server Cert.. > Add > Generate CSR > then go to the CSR container and export your CSR

Has anyone done this before? If yes then can you share step by step instructions? This response should answer your question

I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.) Who is "they" if you are authenticating users within an enterprise where laptops are issues by the corporation then you should save the cost and use your internal CA (windows), if this is a campus environment (BYOD) then you should get a public CA.

Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server? No.

Thanks in Advance

Tarik Admani
*Please rate helpful posts*

ISE Integration with PEAP (Server side Cert)

dharmendra2shah — Mon, 22 Oct 2012 04:43:00 GMT

I was able to generate the CSR from ISE. After generating CSR I exported the cert in a temp folder.

I have also installed a Microsoft CA server (windows 2008 R2) so the CA server can issue Cert to ISE. The problem I am having is CSR is in .PEM format and Microsoft does not understand that format. Therefore I used online tools to convert the cert in .DER or PKCS#12. But Microsoft doesn’t like it.

Do you have any suggestions?

ISE Integration with PEAP (Server side Cert)

Tarik Admani — Mon, 22 Oct 2012 05:07:53 GMT

The CSR should be in PEM format, my assumption is that you used the default SHA-256 to generate the request, try using SHA-1 and that should work.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: ISE Integration with PEAP (Server side Cert)

edondurguti — Mon, 22 Oct 2012 14:51:44 GMT

Cisco recommends using 3rd party software to generate CRS, like openssl I did it and it worked fine.

I used godaddy cert (Go daddy glass 2), which on apple devices comes up as UNVERIFIED, so I don't know what's the point of buying it for PEAP (it does work for http ssl though).

For windows machines that are joined to a workgroup there is still a problem when users try to connect to a SSID,

eventhough you have a root cert as trusted on the machine, it comes up as unverified.

Seems like a windows7 bug, here is an article from windows.

http://support.microsoft.com/kb/2518158

and here

http://support.microsoft.com/kb/295663

Hope it helps.

Re: ISE Integration with PEAP (Server side Cert)

dharmendra2shah — Mon, 22 Oct 2012 19:25:59 GMT

Thanks Tarik !!! Selecting SHA-1 instead of SHA-256 did the trick. One step closer.

Do you have step by step instructions to complete the CSR on Windows 2008 R2. Should we use the GUI method or use the IIS interface?

edondurguti: I am ok to use Open SSL as a CA server and then submit the CSR to open SSL. Do you have written instructions to perform that task?

Re: ISE Integration with PEAP (Server side Cert)

edondurguti — Mon, 22 Oct 2012 19:32:31 GMT

well not exactly but i used parts from here:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

I think you're good with what you done so far.

ISE Integration with PEAP (Server side Cert)

dharmendra2shah — Tue, 23 Oct 2012 19:59:08 GMT

Thanks edondurguti. I ended up submitting my CSR to DegiCert and it worked like a champ.

ISE Integration with PEAP (Server side Cert)

dharmendra2shah — Wed, 31 Oct 2012 17:42:10 GMT

I am unable to do machine and user authentication using PEAP. I am not sure what is wrong with my Authorization policies.

On ISE side it says authenticated (user and machine separately) but on the client side. It says limited or no connectivity.

I am using AnyConnect 3.1 on the client side as a supplicant

ISE version is 1.1.1 with patch 3.

WLC version is 7.2.103.0

Is there a compatibility issue?