Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
10
Helpful
6
Replies

Cisco ISE 2.4 Authentication Problem

bagiyevramin
Level 1
Level 1

‎03-05-2019 10:23 PM

Hi, I am new in Cisco ISE.

My Cisco ISE version is 2.4.0.357

In my environment, there are a lot of thin clients which is not in the domain and they will not be in the domain in future. I want these thin clients to join network after passing 802.1X.

How can I achieve this goal with the help of Cisco ISE?

Please help.

0 Helpful
6 Replies 6

bern81
Level 1
Level 1

‎03-06-2019 12:11 AM

Hi,

 

You could do EAP-TLS authentication for those clients by creating certificates for them.

Create a CAP (certificate authentication Profile) in the ISE that will check the CN filed of the certificate or SAN-DNS field

BUT don't perform any AD lookup in the CAP.

use this CAP in the authentication policy.

Then in the authorization policy you can match on certificate fields as conditions to apply policies like VLAN/DACL ....

 

ORR less secure method use MAB authentication by adding the MAC addreses to those devices into the ISE database or use an external database like LDAP.

 

I hope this helps.

Please rate.

bagiyevramin
Level 1
Level 1
In response to bern81

‎03-06-2019 05:10 AM

bern81, thank you for the reply. As I said I am new in Cisco ISE.
Is there any helpful documentation about what you wrote (EAP_TLS Authentication). Because I confused among documentations.
0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to bagiyevramin

‎03-06-2019 08:46 AM

@bern81 posted helpful information. IMO, unless you are familiar with PKI and/or if you dont already have an internal PKI setup I would recommend moving forward with the mab solution. Obviously this depends on your requirements, but it will be much easier to manage. If you are interested in 8021x with eap-tls you can find some good video tutorials here:
http://www.labminutes.com/video/sec
HTH!

bagiyevramin
Level 1
Level 1
In response to Mike.Cifelli

‎03-06-2019 11:03 PM

@Mike.Cifelli thank you for the reply and link. I'll watch all these videos. Thank you.
0 Helpful

bern81
Level 1
Level 1
In response to bagiyevramin

‎03-07-2019 12:32 AM

Hi,

I know this is a little bit complicated as Mike mentioned, you need to have a PKI that signs certificates and u need to configure EAP-TLS on the windows devices.
Check on internet as well about CAP configuration in ISE.
0 Helpful

bagiyevramin
Level 1
Level 1
In response to bern81

‎03-10-2019 12:19 AM

@bern81 thank you for the reply, I'll check.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents