12-05-2019 02:58 PM
I'm having issues with trying to configure ISE to do the following for wireless PCs:
1) Authenticate a windows machine using the client cert from a CA server. (These are resources owned by me.
2) Authenticate the user via AD..
I've tested user authentication via AD and it works..
I've configured a policy that says, "If connecting to wlan "x" AND has a certificate with the "issuer" filled in with "acme.root-ca1" AND user ID group is "AD" with field "Domain Users", Then allow...
I've configured a Cert Profile, AD, etc.. but nothing seems to be working... Any help would greatly be appreciated..
Solved! Go to Solution.
12-05-2019 06:30 PM
If you are using the built-in Microsoft supplicant, then the machine can only be in either the machine state or the user state. It will never send both machine credentials AND user credentials in the same request. When a machine boots up and before someone logs in, it will be in the machine state and will send machine credentials. Once someone logs in, it switches to user state and sends user credentials. There is no way to tie those two together in the same authentication request unless you do EAP-Chaining, which requires EAP-FAST and the Anyconnect NAM supplicant.
12-05-2019 06:30 PM
If you are using the built-in Microsoft supplicant, then the machine can only be in either the machine state or the user state. It will never send both machine credentials AND user credentials in the same request. When a machine boots up and before someone logs in, it will be in the machine state and will send machine credentials. Once someone logs in, it switches to user state and sends user credentials. There is no way to tie those two together in the same authentication request unless you do EAP-Chaining, which requires EAP-FAST and the Anyconnect NAM supplicant.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide