Re: Cisco ISE - User and Machine Authentication - Certificated Based -New User

pgiouvanellis · ‎07-29-2019

Hello Everyone ,

I would like any help anyone ca provide with the problem we face that is described below .

We have a deployment of two PAN and PSN nodes .

We perform User and Machine Authentication with EAP-TLS method through Certificates .

When the machine boots is authenticated against AD using machine certificate and if it is authenticated

i was assigned to a specific vlan through ise Authorization profile .

Then i try to login with a user account which will authenticated through certificate also .

Th issue is when a user first login to a domain computer and not yet have the certificate it is not able to be authenticated .The issue is that when the enrollment is completed again the supplicant is not able to send me the certificate in order to be authenticated .

Is anyone had any similar issue and/or had a solution .

Thank You,

Palaiologos

Mike.Cifelli · ‎07-29-2019

I am under the assumption that you are utilizing eap-chaining in your scenario? If so, I would attempt to drive separate policies by using EAP-Chaining Result EQUALS (comp fail/user fail; comp pass/user fail; comp pass/user pass). Are you unable to force a CoA upon successful user cert enrollment?

paul · ‎07-29-2019

You technically wouldn't need to use EAP chaining if you are making the assumption that the presence of a certificate being presented by the device means it is a corporate device. As Mike said you need to have a computer based policy that would allow for user certificate enrollment. The first time user login when doing certificates can be a challenge.

Also doing VLAN switches based on User login is something I advise against, but your experience may vary. Getting the computer to renew their IP after the VLAN switch can be a challenge. There are ways to do it, but I usually avoid VLAN moves if possible.