Solved: Cisco ISE 802.1x Machine Authentication Cert EAP-TLS

rmoat · ‎01-03-2020

Hello,

I've been tasked with helping roll out 802.1x on our network, and am primarily over the Windows side of setting up group policies for Machine Certificate Auto Enrollment, and configuring the authentication methods. Because the networking team will primarily be handling the Cisco ISE portion of 802.1x, there is quite a large disconnect about what needs to be done. I'm trying to find good documentation between Cisco ISE 802.1x and Windows 802.1x (Group Policies for setting the correct authentication type, Enterprise CA Certificates), but haven't found anything specific to this scenario. Most videos or guides I've found are only for PEAP (username/password) and EAP-TLS (certificate) combined.

We'd just like to use machine certificates to authenticate. From what I'd understand, I'd just set the network authentication method to: "Microsoft: Smart Card or other certificate", and select the trusted root certification authorities. I just don't see any guides for this type of configuration. It would be nice if there was more information about how to set up the Cisco ISE and Authentication within windows to match for this scenario. Are there any guides/documentation that you know of for EAP-TLS only? Or is PEAP and EAP-TLS necessary to work with Cisco ISE/Windows clients?

I also am not sure what Cisco ISE requires as a subject name for certificates to work (both Mac & PC):

Mike.Cifelli · ‎01-04-2020

Under the assumption that the network team knows how to setup the ise radius policies to support dot1x with the proper cap profile, authz profiles, and identity source sequences, etc. it looks like you are on the right track. I did not see you mention ensuring that the wired autoconfig service is running. That can be added to the GPO too. Change your auth mode to computer only. As far as peap that adds an extra layer of encapsulation so peap(eap-tls) is definitely secure and the recommended way. As far as windows documentation for configuration you should be able to do a quick google search. Another place I like to recommend is: http://labminutes.com/video/sec (Do a search for 802.1x. Free tutorials.)
HTH!

View solution in original post

Mike.Cifelli · ‎01-04-2020

Under the assumption that the network team knows how to setup the ise radius policies to support dot1x with the proper cap profile, authz profiles, and identity source sequences, etc. it looks like you are on the right track. I did not see you mention ensuring that the wired autoconfig service is running. That can be added to the GPO too. Change your auth mode to computer only. As far as peap that adds an extra layer of encapsulation so peap(eap-tls) is definitely secure and the recommended way. As far as windows documentation for configuration you should be able to do a quick google search. Another place I like to recommend is: http://labminutes.com/video/sec (Do a search for 802.1x. Free tutorials.)
HTH!

rmoat · ‎01-04-2020

Thanks so much, Mike! Very much appreciated. It's really great to know that peap(eap-tls) is the recommended way, as I can get on the same page as the networking team when we sit down and hash out the configuration together. I've done a bit of research, and there are so many different guides, so I appreciate the link to the labminutes videos. Thank you!
-Ryan