Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
660
Views
0
Helpful
2
Replies

Cisco ISE 2.4 2FA machine certificate + user credentials

Go to solution
CelalCELIK7831
Level 1
Level 1

‎10-14-2019 09:04 AM

hi everyone,

I have a request for a customer. They are using laptops in WORKGROUP, not domain.

*They want to check machine certificate on laptops  +  user credentials. For secure access, both should be matched.

*They dont want to use Cisco Anyconnect Nam.

 

Do you have any recommendations for the purpose?

 

Best.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-15-2019 07:57 AM

My two cents on the request and things to consider:
If laptops are not a part of a domain then I assume that your IT staff would configure the local accounts used to access the workstations. Therefore, what is the desire to check the username? If the workstations are not a part of the domain what will be your process of deploying computer certificates? Based on the brief information it sounds like the desire is to utilize eap-fast for eap-chaining. If that is the case you will be forced to use AnyConnect NAM because AFAIK the Windows native supplicant does not support eap-fast or its industry standard yet.
Good luck & HTH!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-15-2019 07:57 AM

My two cents on the request and things to consider:
If laptops are not a part of a domain then I assume that your IT staff would configure the local accounts used to access the workstations. Therefore, what is the desire to check the username? If the workstations are not a part of the domain what will be your process of deploying computer certificates? Based on the brief information it sounds like the desire is to utilize eap-fast for eap-chaining. If that is the case you will be forced to use AnyConnect NAM because AFAIK the Windows native supplicant does not support eap-fast or its industry standard yet.
Good luck & HTH!
0 Helpful

Go to solution
CelalCELIK7831
Level 1
Level 1
In response to Mike.Cifelli

‎10-16-2019 03:14 AM

Hi Mike,

Thanks for your reply.

So they dont use domain but this is their security standard. For employee networks, they  want 2 conditions to have access.

1. The laptops should be corporate device(If they use machine certificate only, they cannot log users. As you know, several users can use same laptop)

2.Also to have access these networks, they should use username and password, too.

 

And your other question (If the workstations are not a part of the domain what will be your process of deploying computer certificates?) I m not sure which technology but they have a solution for this. Actually the reason not to use domain is about first installation of laptops. With a internet connection, inside or outside of company network, users can install new laptops automatically.

 

Thanks.

0 Helpful
Customers Also Viewed These Support Documents