10-03-2012 09:52 PM - edited 03-10-2019 07:38 PM
Dear all,
Can any one help me out for configuring Dot1x plus certificate authentication in ISE box. We are having ISE 3315 with 1.1.1 version where in we need to configure certificate base authentication. The idea behind is we want to restrict the access to device which not belong to company asset means personal asset of employee need to restrict if they try to connect the company network.
How we can configure dot1x plus certificate base authentication in cisco ise box?
Can any one help me out to resolve this kind of issue?
Thanks
Pranav
Solved! Go to Solution.
10-06-2012 02:29 PM
Pranav,
Here are the steps in activating/verfying if machine authenticaiton is enabled on Win7 clients:
Also here are the steps in configuring the cache timer for machine access restriction in ISE
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wpxref37158
Here is some background about how ISE enforces machine access restriction:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html#wp1116684
In your authorization policy for domain users you will have to add the condition for "was machine authenticated" and set that to true.
Tarik Admani
*Please rate helpful posts*
10-03-2012 09:55 PM
Pranav,
Have you considered machine authentication + user authentication? You can acheive the same results without having to deploy eap-tls and certs if you havent already. For your user authentication you can add the condition "wasmachineauthenticated" to your session. Are you allow these same users to gain access with personal mobile devices?
Thanks,
Tarik Admani
*Please rate helpful posts*
10-03-2012 10:00 PM
Tarik,
Currently we are not having machine accounts with AD so still can we acheived Machine authetiction + User authentication ??
10-04-2012 01:01 PM
Tarik,
We are only looking for personal machine like Laptops only who will going to connect dot1x port.
If that asset is company asset then it will go to authentication,authorization process .. If its not a company asset then it will restrict the network or limitted connectivity.
It will great if you can help me out for the same or any workarround for the same.
Thanks
Pranav
10-06-2012 09:40 AM
Pranav,
You mentioned that the if the asset is a "company asset" then that leads me down the path that these machines are a member of your AD domain correct (domain computers group should have a entry for these machine accounts)? If so please use machine access restrictions to move past this issue.
thanks,
Tarik Admani
*Please rate helpful posts*
10-06-2012 10:50 AM
He Tarik ,
Thanks for your reply can you please guide me how to acheive this by using machine authentication ??
Can you please tell me the configuration step what need to do ?
Thanks
Pranav
10-06-2012 11:43 AM
Which OS are your machines running?
Sent from Cisco Technical Support Android App
10-06-2012 12:18 PM
Win 7 32/64 bit , Win Vista 32/64 bit and Win Xp 32/64 bit
10-06-2012 02:29 PM
Pranav,
Here are the steps in activating/verfying if machine authenticaiton is enabled on Win7 clients:
Also here are the steps in configuring the cache timer for machine access restriction in ISE
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wpxref37158
Here is some background about how ISE enforces machine access restriction:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html#wp1116684
In your authorization policy for domain users you will have to add the condition for "was machine authenticated" and set that to true.
Tarik Admani
*Please rate helpful posts*
10-09-2012 09:45 PM
Hi Tarik,
Thanks for your reply. Just for my knowledge ,can you please provide me any documents for having certificate authentication through ISE.
Thanks
Pranav
09-04-2018 12:23 PM
Machine authentication is not a dependable solution for identifying AD member computers. There are many caveats, and users will face multiple wifi issues. Most basic issue is that Windows clients can do either machine authentication or user authentication but not both during a wireless authentication process (unless you use a third party eap chaining tool such as ISE AnyConnect agent). There are other issues when cache timeout, users switching between wired and wireless, etc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide