05-23-2019 06:14 AM - edited 05-23-2019 06:16 AM
Hi All,
I am going about setting up guest and employee WIFI, which I am planning on running over the same SSID, as employee side just requires internet access to their mobile devices which we do not control nor would be able to push out our control due to backlash from business.
I configured SSID to use WPA2-Enterprise with "my Radius server", configured that it uses Cisco ISE Authentication and rest of settings as per config guidelines.
• Created Policy and used Wireless_802.1X as my condition.
• Authentication, Wireless_802.1X as my condition and to use All_AD_Join_Points with Reject, Reject, Drop
• Authorization: Wireless_802.1X as my condition, plus some other filters to pinpoint users or groups, and provided with Authorization profile which provides Access_Accept, specifies the VLAN and Airspace ACL name.
So connection to this work as expected, I can connect to SSID and provide AD account login details and would be granted access as per config.
And here is the undesired outcome, I get a prompt to accept the certificate, this certificate is of our internal CA as we use same cert for Computer 802.1x authentication.
This certificate is used EAP authentication under its Usage. There can not be two EAP authentication certificates.
What are the alternative options with getting public certificate but retain the simplicity of this AD user authentication against SSID and not getting untrusted certificate prompt.
Background on simplicity side, we do not have MDM available, so pushing certificates to employee phones is not an option. But in same time we have requirement that we can control which user is allowed on WIFI by using groups and AD user account status etc.
For guests, we require same thing, different user accounts for different geographical areas with option of changing password in the AD of full stop disabling account in AD case of security violations or other reasons.
Selected option of achieving this did not require any overhead on mobile devices as there is nothing more to do apart from providing username and password, no redirects, no registrations no profiles to be installed. And that fact that access is granted to the internet ports 80 and 443 only, there is no need to do any posture on this as well.
Please advise.
Solved! Go to Solution.
05-23-2019 07:20 AM
05-29-2019 06:22 PM
Just a few comments on this thread.
I would advocate not using an WPA2 Enterprise SSID for this situation. You are setting yourself up for a world of pain (well maybe not you but the employees). Anytime you allow an employee to connect a mobile device to an SSID with AD credentials that device will store the credentials. Now their AD password changes and they forget they have their mobile devices using it to connect to an SSID that only gives them Internet access. Now their AD account is constantly getting locked out and frustration mounts.
Setup a standard open SSID with a portal. Allow the portal to accept AD credentials or regular guest credentials. When the employees log in their MAC address gets put into an Employee_BYOD endpoint identity group with a long purge time (30, 60, 90 days... whatever you want) and the guests would get mapped to guest endpoint identity groups that have shorter purge times (daily, weekly, etc.).
It is a simple setup. Employees are happy because they only have to see the guest portal once every purge cycle and there is no AD account remembered causing AD account locks.
05-23-2019 07:20 AM
05-23-2019 07:44 AM
Thanks Jason,
Will give it a read.
05-23-2019 01:54 PM
Hi @AigarsKSYN
I will say that I have seen this requirement for more than one EAP Server certificate a few times. Aruba Clearpass supports this and it makes sense for some complex scenarios. They can support multiple EAP "Services" and depending on which one processes the EAP request will determine which cert their radius server presents to the supplicant. Perhaps we need to submit a feature request one of these days.
05-23-2019 02:03 PM
05-23-2019 03:57 PM
Hi Jason
the original posting read
"This certificate is used EAP authentication under its Usage. There can not be two EAP authentication certificates.
What are the alternative options with getting public certificate but retain the simplicity of this AD user authentication against SSID and not getting untrusted certificate prompt."
I was responding to the first part mostly because I have seen this question a few times in Community forum. When we build ISE and we create the EAP System cert then we have to choose the CA Chain. And that can be an issue for some customers who want to present multiple ISE Server certs. I personally don't see this as an issue.
Horses for courses
05-24-2019 02:44 AM - edited 05-24-2019 02:45 AM
Thanks Arne and Jason,
I am going down the route of doing a configuration of EAP Authentication using wildcard public CA certificate.
Just a quick one for you both if you do not mind.
If I have two PSN nodes, would replacing EAP Authentication cert on one node syncs this over to the other node as well or I am safe doing testing in such way?
Also, regarding use of FQDN, I want to prep both PSN nodes for use of FQDN, can the CLI config of IP HOST be the same on both PSN nodes and relay on DNS round robin load balancing.
Command use: ip host IP_address host-alias FQDN-string
My Config:
PSN1 admin(config)# ip host 10.0.0.1 ise ise.domain.com
PSN2 admin(config)# ip host 10.0.0.2 ise ise.domain.com
05-29-2019 12:26 PM
05-29-2019 12:59 PM
Hi Jason,
Sorry, must have been bit more clear, I am trying to update to the wildcard cert, however when production network is your only network and people work around the clock, I want to know how I can go about implementing certificate without affecting everyone or cause an outage.
That is why I was asking, if it is possible to update one of the PSC nodes and not have certificate propagate through to all PSN nodes, if it is not automatic process, then great, as I can take one PSNB, replace current cert with Wildcard, then perform test and switch this PSN to be used as primary and get that PSN's cert update as well and place them both in production.
Also, I guess I will need to update network profiles to trust new certs root CA
05-29-2019 06:22 PM
Just a few comments on this thread.
I would advocate not using an WPA2 Enterprise SSID for this situation. You are setting yourself up for a world of pain (well maybe not you but the employees). Anytime you allow an employee to connect a mobile device to an SSID with AD credentials that device will store the credentials. Now their AD password changes and they forget they have their mobile devices using it to connect to an SSID that only gives them Internet access. Now their AD account is constantly getting locked out and frustration mounts.
Setup a standard open SSID with a portal. Allow the portal to accept AD credentials or regular guest credentials. When the employees log in their MAC address gets put into an Employee_BYOD endpoint identity group with a long purge time (30, 60, 90 days... whatever you want) and the guests would get mapped to guest endpoint identity groups that have shorter purge times (daily, weekly, etc.).
It is a simple setup. Employees are happy because they only have to see the guest portal once every purge cycle and there is no AD account remembered causing AD account locks.
05-30-2019 12:46 AM
05-24-2019 09:47 AM
05-28-2019 01:50 AM
Hi Jason,
It is not, I have not raised any threads on this subject.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide