topic Re: Implementing wired access control by certificate based authenticat in Network Access Control

Implementing wired access control by certificate based authentication

CasualUser01 — Wed, 06 Apr 2022 09:55:24 GMT

Hello everyone,

in our company i would like to implement ciscoISE for the wired access control with certificate based authentication. My goal in the end is, that all clients who don't have the certificate of our CiscoISE Server only get a default VLAN with internet access only. For all the clients who have the certificate are granted with normal employee VLAN. A Catalyst Switch will be used as the authenticator in this example. I already read the "Cisco ISE Secure Wired Access Prescriptive Deployment Guide" but got a bit confused because i don't actually know what steps i need to follow in the guide and what steps would be unnecessary, for reaching my end goal. Any help would be appreciated. 🙂 🙂

Kind regards

CasualUser01

Re: Implementing wired access control by certificate based authenticat

Mike.Cifelli — Wed, 06 Apr 2022 13:01:34 GMT

I already read the "Cisco ISE Secure Wired Access Prescriptive Deployment Guide" but got a bit confused because i don't actually know what steps i need to follow in the guide and what steps would be unnecessary

-That guide will definitely assist with your journey and will hit on each component in the workflow. Here are some (not all) items of consideration for design/deployment:

--What types of clients are in the environment? For Windows based, will you use native supplicant or NAM?

--If using NAM, how will you deploy the AC modules to support this + respective profiles?

--If using Native, best bet is to rely on GPOs to push settings

--For certificate based authentication, are you talking about onboarding only computers via certs or do you want to perform user + computer cert auth; if both, you will need to research and look into eap-chaining; eap-chaining can be accomplished with EAP-FAST (NAM supplicant) OR with later versions of ISE + Windows EAP-TEAP (native supp)

--How will clients enroll for identity certs? Does your enterprise have an internal PKI? If so, ADCS and GPOs for auto-enrollment will help make things simpler

--What type of external identity source will be in use? AD?

--Are there clients in the environment that will require mab? Example, printers with no supp, etc. You will need ISE local endpoint groups to help here

I would recommend reviewing it again, reaching out to your Cisco reps for help, and checking online for tutorials (youtube/labminutes).

Here are additional docs that may help:

Cisco ISE & NAC Resources - Cisco Community

HTH!

Re: Implementing wired access control by certificate based authenticat

Flavio Miranda — Wed, 06 Apr 2022 13:03:41 GMT

First step is perform an assessment on your network. Not all switches works with 802.1x. Also, you need to install clients certificates and this is not an easy task sometimes.

Re: Implementing wired access control by certificate based authenticat

CasualUser01 — Wed, 06 Apr 2022 13:22:40 GMT

Hi Mike,

thank you for your detailed answer!

--What types of clients are in the environment? For Windows based, will you use native supplicant or NAM?

It will be for Windows clients only for now and I will use native supplicant for that

--If using Native, best bet is to rely on GPOs to push settings

This sound good, as we are using an Active Directory as the external identity source

--For certificate based authentication, are you talking about onboarding only computers via certs or do you want to perform user ...

Exactly, i only want to onboard computers via certs and if they don´t have a cert, then just give them guest access in form of a specific VLAN (Internet access only)

--How will clients enroll for identity certs? Does your enterprise have an internal PKI? If so, ADCS and GPOs for auto-enrollment will help make things simpler VLAN (Internet only)

We don´t have an internal PKI yet, i thought that the we could roll out the machine certificates from the CISCO ISE server.

--Are there clients in the environment that will require mab?

There will be no clients which will need mab. Only Computers such as Notebooks.

Kind regards

Re: Implementing wired access control by certificate based authenticat

CasualUser01 — Wed, 06 Apr 2022 13:25:24 GMT

yea we will use a switch that is capable of 802.1x but the hard part will be installing and rolling out the client certificates as you said. I currently don´t know how it´s done with using the cisco ise. Any suggestions on how to implement it?

Re: Implementing wired access control by certificate based authenticat

Flavio Miranda — Wed, 06 Apr 2022 13:55:47 GMT

There are some option here. You can do this by running a GPO to push the certicate to the machines. This is the most usuall.

But this is usually EUC job. You can refer to the link:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

Re: Implementing wired access control by certificate based authenticat

Charlie Moreton — Wed, 06 Apr 2022 13:56:39 GMT

Use your AD Domain Controller to push the certs to the computers via GPO. Once that is configured and you log in to the machine, the GPO will download the cert (can force it using gpupdate /force on the PC). Once you reboot, the cert can be used for authentication.

You can find good resources here for ISE and Active Directory integration:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216120-ise-security-ecosystem-integration-guide.html#anc78

Re: Implementing wired access control by certificate based authenticat

thomas — Thu, 07 Apr 2022 14:37:36 GMT

See https://cs.co/ise-guides#EAP

Re: Implementing wired access control by certificate based authenticat

CasualUser01 — Thu, 07 Apr 2022 21:29:12 GMT

Hi Charlie,

thanks for your reply. After some research i found out that our company already has a root CA Certificate inside our Active Directory and it also assigns signed certificates to the clients, after they join our domain. My question would be if i can import that trusted root CA certificate of the AD to the ise server. Then my idea would be to use the already assigned machine certificates for the authentication against the ISE server. Is this somehow possible to do? It would be pretty good because then i would not have to create new Certificates for the clients.

kind regards

Re: Implementing wired access control by certificate based authenticat

Charlie Moreton — Thu, 07 Apr 2022 23:12:53 GMT

Yes. Configure EAP-TLS Authentication with ISE this is the doc to read and will show what needs to be done.