topic Re: Do not validate authentication, ISE - Policy in Network Access Control

Do not validate authentication, ISE - Policy

nstr1 — Tue, 26 Mar 2019 07:38:20 GMT

in my wired network and with the help of an ISE I have authentication with a trusted certificate. Users authenticate to the certificate with a user and password. Once you do loggin you can surf without problem.

but I have a doubt there is the possibility that those work stations that do not have the certificate installed ignore the certificate, that is, not authenticate ???

Can I do it through a policy in the ISE ???

Re: Do not validate authentication, ISE - Policy

bern81 — Tue, 26 Mar 2019 08:17:11 GMT

Hi Nestor,
Can you be more specific plz.
Users authenticate to the certificate with a user and password (I honestly do not get what do you mean).

Re: Do not validate authentication, ISE - Policy

nstr1 — Tue, 26 Mar 2019 15:12:27 GMT

if, in the laptop a certificate is installed, then when the computer starts a pop-up is immediately displayed and authentication is requested and the user must enter a user and password

Re: Do not validate authentication, ISE - Policy

bern81 — Thu, 28 Mar 2019 13:07:03 GMT

In that case the certificate is not involved (no eap-tls).

In your case it is PEAP (EAP-MSCHAPv2) which requires user and pass.

you can create an authentication policy to authenticate the username against AD for example.

and in the authorization policy you can specifiy that if the user is part of an AD group example /employees then apply Dacl, vlan ...