topic Re: Non domain computer using EAP-TLS via Machine Certificate in Network Access Control

Non domain computer using EAP-TLS via Machine Certificate

daniel.tanch — Thu, 28 Jul 2022 10:00:31 GMT

Hi,

1) I will like to check and verify is it possible to do EAP-TLS via machine certificate for a non domain join computer? If so how do I go about doing it? The non domain computer will be manually signed by the CA server. As of now, I had a workaround using MAB and it working successfully.

2) Possible to verify that the non domain join computer OS is "Windows" when doing the authentication/authorization? And what are the steps to do it?

Re: Non domain computer using EAP-TLS via Machine Certificate

Mark Elsen — Thu, 28 Jul 2022 12:11:45 GMT

- FYI : https://www.cwnp.com/forums/posts?postNum=300324

Re: Non domain computer using EAP-TLS via Machine Certificate

Rob Ingram — Thu, 28 Jul 2022 12:30:04 GMT

@daniel.tanch yes you can do EAP-TLS on non-domain joined computers. You would manually need to create the Certificate Signing Request (CSR), send this to get signed and import the certificate to the local user certificate store and import the trust root certificates. Or alternatively you could possibly use openssl to generate the CSR, get the certificate signed and create a PKCS12 file and import this to the user certificate store.

You would need ISE profiling to determine the Operating System, what profiling probes do you have enabled - you can learn OS information using DHCP and NMAP probes.

What ISE license level do you have? If using ISE 3.x you'd need the Advantage license to use profiling features.

Re: Non domain computer using EAP-TLS via Machine Certificate

daniel.tanch — Fri, 29 Jul 2022 02:51:58 GMT

Is there any steps/guides on how to do it on the Cisco ISE? I tried and it failed, thus I tried with a join domain computer using machine certificate, everything was working successfully. Is there anyway to verify if it due to the signed cert on the non domain computer that is causing this problem?

Noted on the 2nd point, currently I am using a trial version (3.x) before purchasing the license.

Re: Non domain computer using EAP-TLS via Machine Certificate

daniel.tanch — Mon, 01 Aug 2022 10:24:04 GMT

Hi Rob,

I saw from "https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html", it stated "Active Directory is typically used to support Machine Authentication against the computer account and/or User Authentication against the end-user account in Active Directory." But the computers are not domain joined can it still work using machine authentication (EAP-TLS)?

Re: Non domain computer using EAP-TLS via Machine Certificate

Rob Ingram — Mon, 01 Aug 2022 14:08:21 GMT

@daniel.tanch AD is recommended, because as indicated typically computers are AD domain joined....but you can authenticate non-domain joined computers as long as you can enroll the device with a certificate. You can do this using either the initial recommendation, or use an MDM to distribute certficates or use the ISE BYOD portal. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-640661554