Re: 802.1x with cisco ISE

Mustapha Bassim · ‎05-29-2023

Hello Dears

We are planning to impelment Cisco ISE with 802.1x and we have the following quiestions :

1-is it possible to connect ISE with Microsoft AD so the login user for 802.1x is done with AD username/password?

2-is 802.1x is working without issue with windows 10 and windows 11?

Best Regards

Flavio Miranda · ‎05-29-2023

Hi

1 - it is. You can check this guide

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html

2 - without issue is too optmistic but Yes, they work. Just check the compatibilty with ISE version

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/compatibility_doc/b_ise_sdt_31.html#microsoftwindows

Marvin Rhoads · ‎05-29-2023

AD integration is not only possible, as @Flavio Miranda noted, but is used in almost all ISE deployments when we are securing wired or wireless networks.

It works fine with all current Windows versions.

It is worth mentioning that recently Microsoft has begun to deprecate MS-CHAPv2 so we need to account for that in our ISE deployment. https://community.cisco.com/t5/network-access-control/windows-11-22h2-credential-guard-enforcement/td-p/4695655

Mustapha Bassim · ‎05-30-2023

Hello Dears and thnx for reply

could we authenticate 802.1x without ISE certification

i am need the user just checking by username/password not using any authenication method anyone can help ?

Marvin Rhoads · ‎05-30-2023

Checking username and password IS authentication.

We can configure Windows to work with 802.1x so that the supplicant (Windows built-in software program settings that work with wired or wireless networks) automatically provides ISE the username and password. No user certificate is required. ISE uses a certificate but it doesn't not have to be CA-issued not does the client necessarily have to validate/trust it. Those are optional supplicant settings.