https://community.cisco.com/t5/network-access-control/ise-getting-user-identity-using-certificate-authentication-from/m-p/4076899#M560048 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>,&nbsp; I wasn't aware of EasyConnect, but definitely something that would work for us as an alternative. Thanks for the suggestion! Yeah didn't plan on trying with the windows supplicant.</P> Thu, 30 Apr 2020 05:33:40 GMT cisco2020 2020-04-30T05:33:40Z https://community.cisco.com/t5/network-access-control/ise-getting-user-identity-using-certificate-authentication-from/m-p/4076455#M560046 <P>At the moment we are doing EAP-TLS with machine based certificate authentication. As such in ISE radius live logs we see the machine name. There is a requirement to do user based firewall policies on Palo Alto with the radius log information passed from ISE. Since we are using machine certificates, it doesn't seem this will work without switching over to user certificates for EAP-TLS. Is my understanding correct? Or is there a trick to get the user identity information for these type of authentications? I ask because a user will login to windows using their AD account, so even though auth is done with the machine certificate, is there a way for ISE to see the windows login account?</P><P>This is what we see in the radius live logs, showing the machine name for identity.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2020-04-01 at 2.59.33 pm.jpg" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/73303i4DFB362B8228A97D/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2020-04-01 at 2.59.33 pm.jpg" alt="Screen Shot 2020-04-01 at 2.59.33 pm.jpg" /></span></P> Wed, 29 Apr 2020 15:49:33 GMT https://community.cisco.com/t5/network-access-control/ise-getting-user-identity-using-certificate-authentication-from/m-p/4076455#M560046 cisco2020 2020-04-29T15:49:33Z https://community.cisco.com/t5/network-access-control/ise-getting-user-identity-using-certificate-authentication-from/m-p/4076745#M560047 <P>You are already using 802.1X, but perhaps there is a way to leverage ISE EasyConnect feature (<A href="https://community.cisco.com/t5/security-documents/ise-easy-connect/ta-p/3638861" target="_self">read about it here)</A> to link ISE to AD, and when user has logged in, then a WMI event is sent to ISE (which should also be available as a SYSLOG that your Palo Alto can consume).</P> <P>Doing Machine + UserAuth using the native Windows Supplicant is also possible - but it's fraught with issues/limitations about switching between wired/wireless, and machines waking up from sleep, MAR cache, etc. All these issues are apparently resolved with TEAP (Tunneled EAP) - it's available in ISE 2.7 and Windows 10 Insider Preview.&nbsp;</P> Wed, 29 Apr 2020 22:36:53 GMT https://community.cisco.com/t5/network-access-control/ise-getting-user-identity-using-certificate-authentication-from/m-p/4076745#M560047 Arne Bier 2020-04-29T22:36:53Z https://community.cisco.com/t5/network-access-control/ise-getting-user-identity-using-certificate-authentication-from/m-p/4076899#M560048 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>,&nbsp; I wasn't aware of EasyConnect, but definitely something that would work for us as an alternative. Thanks for the suggestion! Yeah didn't plan on trying with the windows supplicant.</P> Thu, 30 Apr 2020 05:33:40 GMT https://community.cisco.com/t5/network-access-control/ise-getting-user-identity-using-certificate-authentication-from/m-p/4076899#M560048 cisco2020 2020-04-30T05:33:40Z