Hello Steve,

Steve Sewa · ‎02-05-2015

Hello,

I'm trying to do machine and user authentication using EAP-TLS and digital certificates. Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.

In ISE, I can define multiple Certificate Authentication Profiles (CAP). For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name

Problem is how do you specify ISE to check both in the Authentication Policy? The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.

Any way to resolve this?

Thanks,

Steve

jan.nielsen · ‎02-05-2015

You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.

an example (uses user/pass though, but same concept)

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

Philip91 · ‎03-17-2016

Hello Steve,

did you find a solution for the issue. Ithink the solution wasn´t eap-cahining. As i understand you problem is that you cannot seperate the authentication rules so the request for XX goes to CAP1 and requests for YY goes to CAP2 correct?

The problem is that there is now chance to differentiate the certificates in the auth rules.

Greetings

Philip

Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)