topic Implementing 8021x in network in Wireless

Implementing 8021x in network

jesse.garcia11 — Thu, 20 Jul 2023 22:44:14 GMT

We are implementing 8021x this summer and I am reading this great Cisco white paper: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213919-configure-802-1x-authentication-on-catal.html

It goes into depth on how to configure the WLC and ISE for implementing the 8021x network, which is what we will be using. But it does not go into any detail on certificate configuration and placement. If anyone has any good documentation or advice on how to get the certs created and installed it would greatly be appreciated. Thank You in advanced.

Re: Implementing 8021x in network

MHM Cisco World — Thu, 20 Jul 2023 23:11:57 GMT

what is Mode
EAP-TLS ? if Yes
then
Understand and Configure EAP-TLS with a WLC and ISE - Cisco

Re: Implementing 8021x in network

Jonatan Jonasson — Fri, 21 Jul 2023 00:08:58 GMT

As mentioned, there are configuration guides for ISE that go over the configuration steps in ISE with some overview.
Here's the guide for 3.x: Configure EAP-TLS Authentication with ISE
For other parts I fear the question is too open or general.
The certificate creation depends on your environment.
For example, if you have an on-premises AD environment, and maybe an existing PKI infrastructure, it would make sense to use your existing PKI infrastructure to generate the EAP certificate to use on the ISE nodes.
At the end of the day the clients that authenticate need to trust the EAP certificate on the ISE, and if you're using certificate authentication like EAP-TLS, the ISE needs to trust the CA that issues the certificates to the clients.

As an example, if you have a windows-only environment using on-premises Active Directory, a simple solution is to use (or set up) a Microsoft CA, which can be on a standalone server or co-exist on another win server.

Create a CSR for the ISE nodes and use this CA to sign the certificates used for EAP certs.
Set up certificate enrollment so that all clients/computers get a computer certificate.
Use AD group policies to configure the wireless and wired 802.1x settings on the clients.
This might get you to the point where you can say "only our domain-joined machines are able to connect to the network".**
And once you gain confidence in this area you can start exploring the more advanced settings.

** there are additional security aspects you need to look into once you've reached this stage, such as can the certificate be exported off the computer and what can someone do with a stolen laptop.

If your workstations are domain-joined using AzureAD, or if you have MacOS or linux computers, there may be additional steps to look into.

Re: Implementing 8021x in network

jesse.garcia11 — Fri, 21 Jul 2023 14:50:48 GMT

Thank you for this. I will be reading it today.

Re: Implementing 8021x in network

jesse.garcia11 — Fri, 21 Jul 2023 14:51:43 GMT

Great write up. This is definitely putting me in the direction I want to go. I will be reading and reviewing this.

Re: Implementing 8021x in network

MHM Cisco World — Fri, 21 Jul 2023 19:35:38 GMT

You are so so welcome'

Any time friend

MHM