topic Mixing internal users and certificate authentication on ISE in Network Access Control

Mixing internal users and certificate authentication on ISE

AK59 — Wed, 15 May 2024 20:41:25 GMT

Hello everyone,

We actually use an ISE (version 3.1) to authenticate endpoints in wifi using a certificate.

The configuration is pretty simple but now we want to allow authentication for internal users (created and stored in the ISE)

Problem is, the users don't use a certificate.

In our policy set, the PKI server is explicitly used in the Authentication Policy

We can change that option and select a specific Identity Source Sequence including Internal Users, but the criteria "Certificate based Authentication" is also ticked.

Our question is :

If we replace the PKI server on the Authentication Policy by the sequence shown above (using Internal Users/Certificated based), will it authenticat an internal user without certificate ?

Thanks in advance,

PS : We have this "Advanced Search List Settings" option that seems to answer our question but we're still skeptical regarding the certificate based option.

Re: Mixing internal users and certificate authentication on ISE

Arne Bier — Wed, 15 May 2024 22:57:33 GMT

You don't change anything in the Identity Source Sequence, nor in the Certificate Profile. The difference between cert auth (EAP-TLS) and username/password auth (EAP-PEAP) is handled during Authentication.

The way it's done is to check what EAP Method is being used in the ISE Authentication in the Policy Set.

If Network Access-EapTunnel EQUALS PEAP then use Internal Users

If Network Access-EAPAuthentication EQUALS EAP-TLS then use Cert_Profile

In the Authorization part of the Policy Set, you can again differentiate between cert and credential auth, if you must treat them differently. E.g. If you know that PEAP authentications are users whose accounts live in ISE, then you can make that as part of an AND condition

If Network Access-EapTunnel EQUALS PEAP AND InternalUser Identity Group EQUALS Employee then .....

Remember that Authorization happens AFTER successful authentication - which means you don't have to test logic conditions that passed in the Authentication stage - you only do it if there is ambiguity.

Re: Mixing internal users and certificate authentication on ISE

AK59 — Thu, 16 May 2024 09:35:13 GMT

Thanks Arne for the reply.

I forgot to mention the fact that before using the Authentication Policy there is a first rule with "Wireless 802.1x" as a condition and as allowed protocol "EAP-TLS".

Do I have to create a whole new policy before that one and specify Wireless 802.1x as condition and PEAP as Allowed Protocols ?

Re: Mixing internal users and certificate authentication on ISE

Arne Bier — Thu, 16 May 2024 23:11:29 GMT

I tend to make one RADIUS Policy Set per SSID (in organizations that have more than one 802.1X SSID)

Help ISE to select the appropriate authentication method (column "Use") by testing the EAP Method used.

In my example, the top Condition uses the default "Allowed Protocols" - in practice I would make a custom one, and include only EAP-TLS and EAP-PEAP (and untick all the other boxes)

Example below:

Re: Mixing internal users and certificate authentication on ISE

AK59 — Fri, 17 May 2024 13:46:59 GMT

Thank you it's very clear now !