Solved: Certificate auto-enrollment not working in closed mode for user first log in

reynaldolopeza · ‎07-21-2019

Hi everyone,

We've been struggling in this situation for a few days.

We have the following scenario for our ISE deployment:

User and Machine Authentication with EAP Chaining, using Certificates for both, Supplicant is Anyconnect NAM.

We are in PoC stage in Authentication open mode and we want to change to closed mode very soon. We are using auto-enrollment for certificates deployment, but it is failing in closed mode, machine authentication is correct but new users cannot get the user certificate and authentication fails.

We have machines that will be used by more than one user anytime. How can we do for the auto-enrollment work in this cases? Please your help with this issue.

hslai · ‎07-21-2019

I would suggest the following:

In NAM, create two networks -- one for machine-auth only and the other for machine-auth + user-auth. The users need allowed to select and fall back to machine-auth.
In ISE, give limited access for auto-enroll when machine-auth only. And, give full access when both auths succeeded.

View solution in original post

hslai · ‎07-21-2019

I would suggest the following:

In NAM, create two networks -- one for machine-auth only and the other for machine-auth + user-auth. The users need allowed to select and fall back to machine-auth.
In ISE, give limited access for auto-enroll when machine-auth only. And, give full access when both auths succeeded.