Closed Authentication mode and certificate-based authentication
I am currently building a new network based on Cisco DNA (SD-Access) architecture.
The network is planned to be a shared service for several companies residing in one building.
The company's separation is achieved via placing the users of every company into the different Virtual Network (VRF) on the Fabric, based on 802.1x authentication and authorization performed by ISE 3.0 connected to MS AD domains.
Virtual Networks have separate IP pools, and traffic is routed via different firewalls.
To achieve the better security between the aforementioned companies, I've decided to go with the Closed Authentication mode on the Fabric Access ports ("Authentication must succeed prior to the network access"), so the end user hosts don't have IP and networking stack until authenticated, only EAP traffic is flowing.
That works fine with EAP-PEAP + MS-CHAPv2 (user/password authentication), but I have troubles implementing the certificated-based authentication.
On the clients (testing with Windows 10 build 19042), in the CAPI2 logs, I see that the OS is trying to perform the certificate revocation check for the client certificate that must be presented to the ISE, and this check fails due to the unavailable CRL and OCSP ("The revocation function was unable to check revocation because the revocation server was offline").
That is not a surprise - the networking stack and IP address are missing - but I can't understand whether it is valid client behavior or not. Shouldn't there be "fail-open" approach in such case?..
Do I miss some configuration on the clients?..
In general, what do you think about such a scheme?
Is it theoretically working?
Or should I place all the clients into the separate Virtual Network with Open Authentication mode, and then perform authentication with placing the into the correct Virtual Network?
I shared with you this detailed document I created with 27 pages about Cisco ISE Integration With F5 BIG-IP Locar Traffic Manager LTM Load Balancer for Guest Acces.
The method used for Guest Access is the Self-Registration.
Healt Monitor using HTTP...
I created an IPSEC Site to site Tunnel between two ASA Firewalls in EVE-NG topology and i want to plot the IPSEC Site to Site VPN graph on PRTG ? The SNMP Walk command is not getting any output . As the firewall is making SNMP inbound connections with the...
The purpose of this document is to demonstrate how ISE can integrate with an eduroam external server which is a WI-Fi roaming service that provides international access to devices in education, research, and higher education. Students, teachers, and resea...
On Cisco Firepower Threat Defense there are two ways to do SSL Decryption (two actions in the SSL Policy).Decrypt-Resign: for outbound connection (from an inside PC to an external server).Decrypt-Known-Key: for inbound connection (from an external PC to y...
Cisco Secure Endpoint offers several protection engines which fight against threats like ransomware and zero-day.
Are you an admin looking for protection on a short to mid-term basis or beginning to roll out protection across your organisation? The best p...