https://community.cisco.com/t5/network-access-control/ise-and-eap-tls-eap-md5/m-p/2991451#M38456 <P>Dear all,</P> <P>&nbsp;</P> <P>I've issue with Cisco ISE 2.0.1.130.</P> <P>All computers are joined to the Active Direcory domain (2008 2), and I make authentication for all devices (Cisco IP phones and Windows computers and for printers).</P> <P>&nbsp;</P> <P>I’ve issue with Cisco ISE because I’ve 3 rules on my authentication policy :</P> <UL style="list-style-type: circle;"> <LI>Printers : MAB</LI> <LI>IP Phones : EAP-MD5</LI> <LI>Computers : EAP-TLS</LI> </UL> <P>&nbsp;</P> <P><BR /> My problem is that when I add rules EAP-MD5 + EAP-TLS it’s not working:</P> <UL style="list-style-type: circle;"> <LI>EAP-MD5 at the first and EAP-TLS at the second place</LI> </UL> <P>Result: my IP phones are working but my computers are not working because <SPAN>my computers try to authenticate with eap-md5 and not eap-tls</SPAN></P> <P>&nbsp;</P> <UL style="list-style-type: circle;"> <LI>EAP-TLS at the first and EAP-MD5 at the second place</LI> </UL> <P>Result: my IP phones are not working but my computers are working because <SPAN>my IP Phones try to authenticate with eap-tls and not eap-md5.</SPAN></P> <P><SPAN><BR /><SPAN class="file"></SPAN></SPAN></P> <P><SPAN>My rules :</SPAN></P> <UL style="list-style-type: circle;"> <LI><SPAN>EAP-MD5-CiscoPhones =&gt; Wired_802.1X =&gt; Allowed protocol : EAP-MD5 =&gt; internal Users</SPAN></LI> <LI><SPAN>EAP-TLS CiscoPhones =&gt; Wired_802.1X =&gt; Allowed protocol : EAP-TLS =&gt; Authentication with Certificate in AD</SPAN></LI> </UL> <P><SPAN><SPAN class="file"><A href="https://supportforums.cisco.com/sites/default/files/attachments/discussion/authentication_policy_0.jpg" type="image/jpeg; length=72664" target="_blank">authentication_policy.jpg</A></SPAN></SPAN></P> <P><SPAN><SPAN class="file"><IMG src="https://community.cisco.com/legacyfs/online/attachments/discussion/authentication_policy_1.jpg" alt="authentication policy" width="1214" height="473" /></SPAN></SPAN></P> <P><SPAN><SPAN class="file"></SPAN></SPAN></P> <P>And the result :</P> <P><SPAN class="file"><A href="https://supportforums.cisco.com/sites/default/files/attachments/discussion/result.jpg" type="image/jpeg; length=53501" target="_blank">result.jpg</A></SPAN></P> <P><SPAN class="file"><IMG src="https://community.cisco.com/legacyfs/online/attachments/discussion/result_0.jpg" alt="result" width="1201" height="168" /></SPAN></P> <P><SPAN class="file"></SPAN></P> <P><SPAN class="file">As you can see the computer is not authenticated and not used EAP-TLS.</SPAN></P> <P><SPAN class="file"></SPAN></P> <P><SPAN class="file">Have you any idea to solved the issue ?</SPAN></P> <P><SPAN class="file"></SPAN></P> <P><SPAN class="file">Thanks in advance for your help.</SPAN></P> <P><SPAN class="file"></SPAN></P> <P><SPAN class="file">Best regard</SPAN></P> Mon, 11 Mar 2019 07:03:24 GMT support-reseaux-filiales 2019-03-11T07:03:24Z https://community.cisco.com/t5/network-access-control/ise-and-eap-tls-eap-md5/m-p/2991451#M38456 <P>Dear all,</P> <P>&nbsp;</P> <P>I've issue with Cisco ISE 2.0.1.130.</P> <P>All computers are joined to the Active Direcory domain (2008 2), and I make authentication for all devices (Cisco IP phones and Windows computers and for printers).</P> <P>&nbsp;</P> <P>I’ve issue with Cisco ISE because I’ve 3 rules on my authentication policy :</P> <UL style="list-style-type: circle;"> <LI>Printers : MAB</LI> <LI>IP Phones : EAP-MD5</LI> <LI>Computers : EAP-TLS</LI> </UL> <P>&nbsp;</P> <P><BR /> My problem is that when I add rules EAP-MD5 + EAP-TLS it’s not working:</P> <UL style="list-style-type: circle;"> <LI>EAP-MD5 at the first and EAP-TLS at the second place</LI> </UL> <P>Result: my IP phones are working but my computers are not working because <SPAN>my computers try to authenticate with eap-md5 and not eap-tls</SPAN></P> <P>&nbsp;</P> <UL style="list-style-type: circle;"> <LI>EAP-TLS at the first and EAP-MD5 at the second place</LI> </UL> <P>Result: my IP phones are not working but my computers are working because <SPAN>my IP Phones try to authenticate with eap-tls and not eap-md5.</SPAN></P> <P><SPAN><BR /><SPAN class="file"></SPAN></SPAN></P> <P><SPAN>My rules :</SPAN></P> <UL style="list-style-type: circle;"> <LI><SPAN>EAP-MD5-CiscoPhones =&gt; Wired_802.1X =&gt; Allowed protocol : EAP-MD5 =&gt; internal Users</SPAN></LI> <LI><SPAN>EAP-TLS CiscoPhones =&gt; Wired_802.1X =&gt; Allowed protocol : EAP-TLS =&gt; Authentication with Certificate in AD</SPAN></LI> </UL> <P><SPAN><SPAN class="file"><A href="https://supportforums.cisco.com/sites/default/files/attachments/discussion/authentication_policy_0.jpg" type="image/jpeg; length=72664" target="_blank">authentication_policy.jpg</A></SPAN></SPAN></P> <P><SPAN><SPAN class="file"><IMG src="https://community.cisco.com/legacyfs/online/attachments/discussion/authentication_policy_1.jpg" alt="authentication policy" width="1214" height="473" /></SPAN></SPAN></P> <P><SPAN><SPAN class="file"></SPAN></SPAN></P> <P>And the result :</P> <P><SPAN class="file"><A href="https://supportforums.cisco.com/sites/default/files/attachments/discussion/result.jpg" type="image/jpeg; length=53501" target="_blank">result.jpg</A></SPAN></P> <P><SPAN class="file"><IMG src="https://community.cisco.com/legacyfs/online/attachments/discussion/result_0.jpg" alt="result" width="1201" height="168" /></SPAN></P> <P><SPAN class="file"></SPAN></P> <P><SPAN class="file">As you can see the computer is not authenticated and not used EAP-TLS.</SPAN></P> <P><SPAN class="file"></SPAN></P> <P><SPAN class="file">Have you any idea to solved the issue ?</SPAN></P> <P><SPAN class="file"></SPAN></P> <P><SPAN class="file">Thanks in advance for your help.</SPAN></P> <P><SPAN class="file"></SPAN></P> <P><SPAN class="file">Best regard</SPAN></P> Mon, 11 Mar 2019 07:03:24 GMT https://community.cisco.com/t5/network-access-control/ise-and-eap-tls-eap-md5/m-p/2991451#M38456 support-reseaux-filiales 2019-03-11T07:03:24Z https://community.cisco.com/t5/network-access-control/ise-and-eap-tls-eap-md5/m-p/2991452#M38458 <P>Your computers are ending up in the phone authentication rule, because you only use wired_dot1x as your condition for what will matche the rule. Instead you need to have one authentication rule, and then allow both EAP-MD5 and EAP-TLS in that rule, then use a identity source sequence, to select the identity stores you wan't to look in (internal user, ad, and so on). The Allowed protocols setting is not used to select the rule its the result of the conditions.</P> Sat, 03 Sep 2016 18:48:14 GMT https://community.cisco.com/t5/network-access-control/ise-and-eap-tls-eap-md5/m-p/2991452#M38458 jan.nielsen 2016-09-03T18:48:14Z https://community.cisco.com/t5/network-access-control/ise-and-eap-tls-eap-md5/m-p/2991453#M38460 <P>Hello,</P> <P></P> <P>thanks i just add an radius attribute on my Authentication Compound Conditions .</P> <P></P> <P>Thnaks again.</P> Mon, 05 Sep 2016 13:04:41 GMT https://community.cisco.com/t5/network-access-control/ise-and-eap-tls-eap-md5/m-p/2991453#M38460 support-reseaux-filiales 2016-09-05T13:04:41Z