cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1851
Views
5
Helpful
4
Replies

Cisco cert portal machine authentication WIFI

pcno
Level 1
Level 1

How can I do the following requirement please send me a screen shot of policy set and suplicant provisioing(adapter config)..

I want to download a certificate from certificate provisioining portal and then Install it as a machine certificate(Local cert) and when I click on wifi to connect it should do the authentication and I should get full access...

STeps I have taken till now.

* Configured cisco cert provisioning portal.
* Downloaded Certificate from portal and installed inside personal folder of certlm.msc (local machine)
* Configured client wifi adapter as microsoft smart card and selected ISE01.domain.com as certificate.

ISE Policy.

Allow EAP PEAP-TLS
Authentication : ALL AD joint point
Authorisation : Eap TLS = full access.

But this is not working because in authentication there is no username password involved...

Can Anyone help me on this  Requrement... 

4 Replies 4

Greg Gibbs
Cisco Employee
Cisco Employee

This is related to your previous post:
How to machine Authenticate in Wireless BYOD

 

To repeat... ISE can ONLY enrol User certificates and the Internal CA is only supported for the BYOD use case.

The Windows supplicant has specific requirements for how it determines if a certificate is valid to present to the RADIUS server when using 802.1x. You cannot simply generate a User certificate and copy it into the Computer certificate store. Windows does not consider a certificate valid for 802.1x when it does not have the key and the key is generated as part of the certificate enrolment.

I do not believe there is a way to game the system and make this work, but you would need to seek confirmation from Microsoft.

You are not getting the point... This is not BYOD  :)  There is a option in ISE Called certificate provisioning portal once you configured it then you can download a certificate with common name as computer name and SAN as mac address ... When you install this certificate on a windows machine it will ask for 2 option local user or machine ...

So I installed as local machine and done authentication and it failed but under authentication rule options I changed Reject to continue I got success and permit access ... Please check the attached screen shot for more.

HERE IS WHAT I WANT.

As an admin I open my cert provisioning portal in my google chrome then I download certificate with MAC and name of Target PC.

Now I copy the cert &  go-to target computer and install it as local cert(Check screenshot)

Now when I click connect on the target machine to wifi ssid it should use this machine certificate and do the authentication(Wifi adapter is configured to use this cert for authentication).

Please help me with a good policy and setup.

I absolutely understand what you are trying to do, but I do not expect this will work. Regardless of whether you are provisioning the certificate manually via the Provisioning Portal or automatically via the BYOD flow, the ISE Internal CA is ONLY supported for BYO devices.

What you are trying to do is essentially use ISE for the function typically provided by an Enterprise CA (like Active Directory Certificate Services). This is NOT supported and will likely NOT work. The ISE CA is only built to enrol user certificates for BYO devices.

ISE has no control over the Windows supplicant and cannot force the supplicant to present a certificate for 802.1x. The Windows supplicant has it's own requirements that must be met before it will reply to the identity request from the RADIUS server (ISE) with its certificate.

If you were to do a packet capture on the client, I suspect what you would see is that the client sees the request for identity from ISE, but does not respond with a certificate.

If the client is in fact presenting a certificate and you just need to know how to configure a Policy Set for Wireless 802.1x, see the configuration example here:

Configure EAP-TLS Authentication with ISE

Thank you as always for helping me. I have re-checked the logs and I can see the certificate is used and processed by ISE I am attaching live log screenshot along with my policy set.

Test_PC is the machine name and Common name of the cert issued via the certificate management portal.

Can you please check the attachment and tell me How it is working for me when Internal CA is only supposed to work for User Authentication.

Thanks
Priyesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: