cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

74
Views
5
Helpful
1
Replies
Highlighted
Beginner

Certificate auto-enrollment not working in closed mode for user first log in

Hi everyone,

We've been struggling in this situation for a few days.

We have the following scenario for our ISE deployment:

User and Machine Authentication with EAP Chaining, using Certificates for both, Supplicant is Anyconnect NAM. 

We are in PoC stage in Authentication open mode and we want to change to closed mode very soon. We are using auto-enrollment for certificates deployment, but it is failing in closed mode, machine authentication is correct but new users cannot get the user certificate and authentication fails.

We have machines that will be used by more than one user anytime. How can we do for the auto-enrollment work in this cases? Please your help with this issue.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Certificate auto-enrollment not working in closed mode for user first log in

I would suggest the following:

  • In NAM, create two networks -- one for machine-auth only and the other for machine-auth + user-auth. The users need allowed to select and fall back to machine-auth.
  • In ISE, give limited access for auto-enroll when machine-auth only. And, give full access when both auths succeeded.
1 REPLY 1
Cisco Employee

Re: Certificate auto-enrollment not working in closed mode for user first log in

I would suggest the following:

  • In NAM, create two networks -- one for machine-auth only and the other for machine-auth + user-auth. The users need allowed to select and fall back to machine-auth.
  • In ISE, give limited access for auto-enroll when machine-auth only. And, give full access when both auths succeeded.