Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
578
Views
0
Helpful
2
Replies

Authtication policy can't use EAP-TLS

Go to solution
hamzazidane
Level 1
Level 1

‎09-17-2018 09:12 AM

Hello,

 

We have a problem in the configuration of the Authentification Policy, im selecting EAP-TLS in order to force clients to use the certification that i exported from the ISE, but the endpoint can only authenticate using "PEAP (EAP-MSCHAPv2)" even if there is no rule for this protocol.

 

Thanks to help us.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-17-2018 09:58 AM

have you tried using the default authentication ruleset and simple relying on authorization rules?

Simple examples here in the BYOD guide (you don’t need the BYOD rules) just the one with cert auth minus registration state

See page 25 remove the BYOD is registered and that should work
https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867


View solution in original post

0 Helpful

Go to solution
paul
Level 10
Level 10

‎09-17-2018 10:54 AM - edited ‎09-17-2018 10:55 AM

in EAP-TLS each client should have their own certificate.  You shouldn't be trying to export a certificate from ISE and trying to get the client's to use it to authenticate EAP-TLS.  Further more if you are trying something like this you need to export both the cert/private key and ensure the certificate has EKU client auth enabled.

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-17-2018 09:58 AM

have you tried using the default authentication ruleset and simple relying on authorization rules?

Simple examples here in the BYOD guide (you don’t need the BYOD rules) just the one with cert auth minus registration state

See page 25 remove the BYOD is registered and that should work
https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867


0 Helpful

Go to solution
paul
Level 10
Level 10

‎09-17-2018 10:54 AM - edited ‎09-17-2018 10:55 AM

in EAP-TLS each client should have their own certificate.  You shouldn't be trying to export a certificate from ISE and trying to get the client's to use it to authenticate EAP-TLS.  Further more if you are trying something like this you need to export both the cert/private key and ensure the certificate has EKU client auth enabled.

 

 

0 Helpful
Customers Also Viewed These Support Documents