07-29-2019 02:58 AM
Hello Everyone ,
I would like any help anyone ca provide with the problem we face that is described below .
We have a deployment of two PAN and PSN nodes .
We perform User and Machine Authentication with EAP-TLS method through Certificates .
When the machine boots is authenticated against AD using machine certificate and if it is authenticated
i was assigned to a specific vlan through ise Authorization profile .
Then i try to login with a user account which will authenticated through certificate also .
Th issue is when a user first login to a domain computer and not yet have the certificate it is not able to be authenticated .The issue is that when the enrollment is completed again the supplicant is not able to send me the certificate in order to be authenticated .
Is anyone had any similar issue and/or had a solution .
Thank You,
Palaiologos
07-29-2019 05:53 AM
07-29-2019 06:50 AM
You technically wouldn't need to use EAP chaining if you are making the assumption that the presence of a certificate being presented by the device means it is a corporate device. As Mike said you need to have a computer based policy that would allow for user certificate enrollment. The first time user login when doing certificates can be a challenge.
Also doing VLAN switches based on User login is something I advise against, but your experience may vary. Getting the computer to renew their IP after the VLAN switch can be a challenge. There are ways to do it, but I usually avoid VLAN moves if possible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide