Cisco ISE 2.4 Authentication Problem
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2019 10:23 PM
Hi, I am new in Cisco ISE.
My Cisco ISE version is 2.4.0.357
In my environment, there are a lot of thin clients which is not in the domain and they will not be in the domain in future. I want these thin clients to join network after passing 802.1X.
How can I achieve this goal with the help of Cisco ISE?
Please help.
- Labels:
-
Identity Services Engine (ISE)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2019 12:11 AM
Hi,
You could do EAP-TLS authentication for those clients by creating certificates for them.
Create a CAP (certificate authentication Profile) in the ISE that will check the CN filed of the certificate or SAN-DNS field
BUT don't perform any AD lookup in the CAP.
use this CAP in the authentication policy.
Then in the authorization policy you can match on certificate fields as conditions to apply policies like VLAN/DACL ....
ORR less secure method use MAB authentication by adding the MAC addreses to those devices into the ISE database or use an external database like LDAP.
I hope this helps.
Please rate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2019 05:10 AM
Is there any helpful documentation about what you wrote (EAP_TLS Authentication). Because I confused among documentations.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2019 08:46 AM
http://www.labminutes.com/video/sec
HTH!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2019 11:03 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2019 12:32 AM
I know this is a little bit complicated as Mike mentioned, you need to have a PKI that signs certificates and u need to configure EAP-TLS on the windows devices.
Check on internet as well about CAP configuration in ISE.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2019 12:19 AM
