Solved: Re: ISE User Certificate for EAP-TLS Deployment

Kenlim · ‎09-06-2019

Dear community,

I have a deployment that have constraint in using MS CA for user certificate deployment (it is old version and doesn't support SHA 2, and they are not willing to upgrade it). I like to know if anyone have experience in using the built in ISE CA achieving automated user certificate enrolment for EAP-TLS authentication.

What I like to achieve - to have automated user certificate enrolment (during day 0) for all AD users, without the need for user to go to certificate provisioning portal. All the users doesn't have admin rights.

I know MS AD with MS CA can achieve it, but since MS CA is not an option, thus I'm looking for alternative.

Regards,

Ken

Mike.Cifelli · ‎09-06-2019

I agree with @Colby LeMaire in regard to utilizing MS-CA for certificate deployment via GPOs and auto-enrollment for the workstations. In my experiences for workstation certificates this has always been my go to. Once successfully setup then it works very well. As an FYI, believe it or not Cisco documentation actually states this:
Note: ISE internal CA is designed to support features that use certificates such as BYOD and hence the capabilities are limited. Using ISE as an Enterprise CA is not recommended by Cisco.
As far as determining whether or not you should authenticate both the computer and user I want to identify some benefits if you do use eap-fast for eap-chaining of both user and computer auth:
-Some customers that I have worked with actually like the fact of using a physical medium (CAC card, token, yubikey) with user certificates to drive network authc/authz. Certain customers already require use of cards with user certs so security folks like this.
-You could move workstations to a restricted VN/vlan upon reauth timers so that when users go home the workstations are no longer internet accessible. They would sit in an internal parking lot that your services servers (wsus, sccm, etc.) can reach at night. In this case you would leverage eapchaining:result equals computer pass & user fail. Then in the morning when user initiates connection it moves them to your normal area for business hours upon successful comp/user pass.
-Leveraging eap-chaining could provide a mobility aspect for end users. Essentially a user could walk to a different workstation in a lab/area/whatever, use their physical medium, initiate authentication and be authorized to their respective network based on your ISE policies. (This all depends on your environment; This is geared more towards an SDA campus with anycast gateways, and for those who wish to utilize mobility). Yes for a legacy type build out users could just move and take their workstation. However, this is a design/requirement decision.
-It is nice to be able to look in live log sessions to determine who (user) is where and what host they are on. Aides in troubleshooting end user issues.

Downsides are having to maintain AnyConnect deployments, NAM, and NAM profiles. Another layer of complexity.

Good luck & HTH!

View solution in original post

kthiruve · ‎09-09-2019

Ken,

This goes to the fundamentals of EAP-TLS, when you are validating a machine or user, the supplicant presents client certificate that the server verifies it and viceversa. A machine certificate is unique per endpoint and has to work with the environment.

There are PKI standards that govern this and CA adheres to this standards and provides an easy way to manage certificates.

The enrollment process can be manual or via GPO's or web enrollment. Manual is tedious if you have a lot of endpoints.

Anyway you need a CA to provide you a certificate that is the bottomline. Hope it is clear.

Here is a configuration guide for EAP-TLS using wireless.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html

Thanks

Krishnan

View solution in original post

Colby LeMaire · ‎09-06-2019

First question or concern would be whether or not you are authenticating the machine at all? If you are, then why do you need to authenticate the user? The only time I recommend authenticating the user is if you need to differentiate access based on who the user is. 99% of customers don't need this. Just authenticate the machine and let Active Directory do its job of controlling access to resources based on who the user is.

To issue certificates from ISE, you would have to use the BYOD flow and client provisioning portal. In my experience, it never works cleanly for every user. But if these are all corporate devices that are consistent in hardware/software, then you may be able to get it to work for everyone.

I would just recommend working with leadership, security, and the folks who own the MS CA server to come up with a better solution where you can issue the certificates using MS CA and GPO's before making things overly complex and causing users to have a bad experience with ISE.

Kenlim · ‎09-06-2019

Hi Colby,

To answer your first question, we are planning to use AD probe for machine verification. And yes we will assign different DACL to different group of users based on AD user group.

As for the certificate, I do like your suggestion. However we are working with a tight timeline and the client do not seems to have enough time to make their MS CA work as intended (to upgrade them for SHA2 support). I wonder if there is alternative if we want to have user authentication and role based access done before migrating to certificate based when the MS CA is ready.

Also at the same time we are exploring APIs to make the CPP flow more seamless and automated (for user cert enrolment). I hope you can stop me here if this is a bad idea!

Best Regards,

Ken

Mike.Cifelli · ‎09-06-2019

I agree with @Colby LeMaire in regard to utilizing MS-CA for certificate deployment via GPOs and auto-enrollment for the workstations. In my experiences for workstation certificates this has always been my go to. Once successfully setup then it works very well. As an FYI, believe it or not Cisco documentation actually states this:
Note: ISE internal CA is designed to support features that use certificates such as BYOD and hence the capabilities are limited. Using ISE as an Enterprise CA is not recommended by Cisco.
As far as determining whether or not you should authenticate both the computer and user I want to identify some benefits if you do use eap-fast for eap-chaining of both user and computer auth:
-Some customers that I have worked with actually like the fact of using a physical medium (CAC card, token, yubikey) with user certificates to drive network authc/authz. Certain customers already require use of cards with user certs so security folks like this.
-You could move workstations to a restricted VN/vlan upon reauth timers so that when users go home the workstations are no longer internet accessible. They would sit in an internal parking lot that your services servers (wsus, sccm, etc.) can reach at night. In this case you would leverage eapchaining:result equals computer pass & user fail. Then in the morning when user initiates connection it moves them to your normal area for business hours upon successful comp/user pass.
-Leveraging eap-chaining could provide a mobility aspect for end users. Essentially a user could walk to a different workstation in a lab/area/whatever, use their physical medium, initiate authentication and be authorized to their respective network based on your ISE policies. (This all depends on your environment; This is geared more towards an SDA campus with anycast gateways, and for those who wish to utilize mobility). Yes for a legacy type build out users could just move and take their workstation. However, this is a design/requirement decision.
-It is nice to be able to look in live log sessions to determine who (user) is where and what host they are on. Aides in troubleshooting end user issues.

Downsides are having to maintain AnyConnect deployments, NAM, and NAM profiles. Another layer of complexity.

Good luck & HTH!

Kenlim · ‎09-06-2019

Hi Mike,

Thanks a lot for your informative response. The note regarding ISE CA not meant to be used as enterprise CA is useful. As for now I am looking for interim solution (to achieve user authentication, preferably with cert) before their MS CA is ready.