https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4781598#M252124 <P>Ok. Thanks for the suggestion.</P><P>With respect to the already installed certificates on the ISE from factory, will these work for 802.1x client authentication?</P><P>Thanks again.</P><P>Regards,</P> Thu, 23 Feb 2023 18:58:48 GMT fuhrersk8 2023-02-23T18:58:48Z https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4712169#M247592 <P>Hi Guys,</P><P>We want implement a&nbsp;WLAN with 802.1x certificate based client authentication. I am following the document&nbsp;<STRONG><EM>Understand and Configure EAP-TLS with a WLC and ISE&nbsp;</EM></STRONG>, but is there a way to automatically install the certificate on the client machines without having to go manually to each? Like for example, the clients downloading the certificate form the ISE.&nbsp;</P><P>Thanks for your support.</P><P>Regards,</P> Thu, 27 Oct 2022 22:01:00 GMT https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4712169#M247592 fuhrersk8 2022-10-27T22:01:00Z https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4712177#M247595 <P>If all the clients are part of the domain, you can deploy the certificate using a GPO. <A href="https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy#:~:text=To%20distribute%20certificates%20to%20client%20computers%20by%20using%20Group%20Policy" target="_blank">https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy#:~:text=To%20distribute%20certificates%20to%20client%20computers%20by%20using%20Group%20Policy</A></P> <P>If you have non-domain devices, then you need to deploy it using a MDM solution. Explore your MDM vendor for more info on how to do.</P> <P><A href="https://documentation.meraki.com/SM/Profiles_and_Settings/Certificates_Payload_(Pushing_Certificates)" target="_blank">Certificates Payload (Pushing Certificates) - Cisco Meraki</A></P> <P><A href="https://learn.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root" target="_blank">Create trusted certificate profiles in Microsoft Intune | Microsoft Learn</A></P> <P><A href="https://www.manageengine.com/mobile-device-management/help/certificate_management/mdm_certificate_repository.html" target="_blank">Certificate Management | ManageEngine Mobile Device Manager Plus</A></P> Thu, 27 Oct 2022 22:10:28 GMT https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4712177#M247595 Arshad Safrulla 2022-10-27T22:10:28Z https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4712216#M247603 <P>What Arshad said. Other options look at&nbsp;<SPAN class=""><SPAN class=""><SPAN>securew2.com if you need a managed PKI&nbsp;</SPAN></SPAN></SPAN>environment to do this</P> Fri, 28 Oct 2022 00:38:25 GMT https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4712216#M247603 Haydn Andrews 2022-10-28T00:38:25Z https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4781598#M252124 <P>Ok. Thanks for the suggestion.</P><P>With respect to the already installed certificates on the ISE from factory, will these work for 802.1x client authentication?</P><P>Thanks again.</P><P>Regards,</P> Thu, 23 Feb 2023 18:58:48 GMT https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4781598#M252124 fuhrersk8 2023-02-23T18:58:48Z https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4781696#M252129 <P>I think you need to at least have domain services and pki in your environment to successfully do this.&nbsp; The client along with the radius has to trust the certty chain.&nbsp; You can always try and use whatever cert you are using on ISE for EAP, but you will have to then upload the chain to the device cert store, manually setup the profile etc.&nbsp; Then you will have to figure out the policy to get all that to work.</P> <P>You didnt provide if you have a domain you are using, is GPO possible, do you have a CA, what is your radius server and are you currently doing PEAP?</P> Thu, 23 Feb 2023 23:09:37 GMT https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4781696#M252129 Scott Fella 2023-02-23T23:09:37Z https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4781709#M252130 Yes, we do have a domain and a CA. But first we are setting a PoC before implementation.<BR /> Thu, 23 Feb 2023 23:56:52 GMT https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4781709#M252130 fuhrersk8 2023-02-23T23:56:52Z https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4781735#M252132 <P>For your PoC, you should validate that certificates (user or computer) are pushed to each domain joined machine.&nbsp; Then your ISE should have a certificate installed from your CA (device, intermediates, and root) and make sure that cert is imported and used for EAP.&nbsp; This helps with the two way trust.&nbsp; Then you would push out a wireless profile via GPO for your test SSID and configure the policies in ISEe to authenticate the user/device cert.</P> <P>Take a look at some guides and blogs on ISE using EAP-TLS and that will help with the steps you need to perform for your PoC.</P> Fri, 24 Feb 2023 02:18:33 GMT https://community.cisco.com/t5/wireless/wlan-802-1x-certificate-based-client-authentication/m-p/4781735#M252132 Scott Fella 2023-02-24T02:18:33Z