Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
0
Helpful
1
Replies

ISE does not see the local machine cert...

Go to solution
Garrison Botts
Level 4
Level 4

‎12-05-2019 02:58 PM

I'm having issues with trying to configure ISE to do the following for wireless PCs:

1) Authenticate a windows machine using the client cert from a CA server.  (These are resources owned by me. 

2) Authenticate the user via AD.. 

I've tested user authentication via AD and it works.. 
I've configured a policy that says, "If connecting to wlan "x"  AND has a certificate with the "issuer" filled in with "acme.root-ca1" AND user ID group is "AD" with field "Domain Users",   Then allow...  

I've configured a Cert Profile, AD, etc.. but nothing seems to be working...   Any help would greatly be appreciated.. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-05-2019 06:30 PM

If you are using the built-in Microsoft supplicant, then the machine can only be in either the machine state or the user state.  It will never send both machine credentials AND user credentials in the same request.  When a machine boots up and before someone logs in, it will be in the machine state and will send machine credentials.  Once someone logs in, it switches to user state and sends user credentials.  There is no way to tie those two together in the same authentication request unless you do EAP-Chaining, which requires EAP-FAST and the Anyconnect NAM supplicant.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-05-2019 06:30 PM

If you are using the built-in Microsoft supplicant, then the machine can only be in either the machine state or the user state.  It will never send both machine credentials AND user credentials in the same request.  When a machine boots up and before someone logs in, it will be in the machine state and will send machine credentials.  Once someone logs in, it switches to user state and sends user credentials.  There is no way to tie those two together in the same authentication request unless you do EAP-Chaining, which requires EAP-FAST and the Anyconnect NAM supplicant.

0 Helpful
Customers Also Viewed These Support Documents