Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
0
Helpful
1
Replies

EAP-PEAP - AD Root CA issue

Go to solution
illusion_rox
Level 1
Level 1

‎02-19-2020 11:08 AM

Dear Experts,

 

One of my customer wants to achieve the following use ISE

 When a domain user connects to SSID from a workgroup machine (non domain), it should only be able to connect if it has root CA of AD installed.

 

I am not sure if this is even possible? I am sure he asked about doing it via EAP-PEAP.

 

Now coming to second possible case, is it doable via EAP-TLS. In EAP-TLS my concern is, how will the user get the certificate from AD CS on a workgroup machine?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-19-2020 02:06 PM

With PEAP, the supplicant configuration determines if the client is required to trust the identity certificate presented by the server (ISE, in this case). If the supplicant is not configured for 'Verify the server's identity by validating the certificate' then the client will accept any server certificate for PEAP authentication. ISE has no control over the native supplicant, so there is no way to enforce this on a Windows device that is not managed by an MDM or Domain Policy.

 

With EAP-TLS, the server must trust the client certificate so the client would have to present a certificate that was signed by a CA trust chain that exists in the ISE Trusted Certificates store. The supplicant setting for 'Verify the server's identity by validating the certificate' can still be disabled on an unmanaged client.

If using EAP-TLS, you would still have to work out how the unmanaged client would be provisioned with a certificate. This is essentially a BYOD use case, so I would suggest reviewing the following documents as a start:

ISE BYOD Prescriptive Deployment Guide

BYOD Cisco Validated Design (an older document, but still relevant)

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-19-2020 02:06 PM

With PEAP, the supplicant configuration determines if the client is required to trust the identity certificate presented by the server (ISE, in this case). If the supplicant is not configured for 'Verify the server's identity by validating the certificate' then the client will accept any server certificate for PEAP authentication. ISE has no control over the native supplicant, so there is no way to enforce this on a Windows device that is not managed by an MDM or Domain Policy.

 

With EAP-TLS, the server must trust the client certificate so the client would have to present a certificate that was signed by a CA trust chain that exists in the ISE Trusted Certificates store. The supplicant setting for 'Verify the server's identity by validating the certificate' can still be disabled on an unmanaged client.

If using EAP-TLS, you would still have to work out how the unmanaged client would be provisioned with a certificate. This is essentially a BYOD use case, so I would suggest reviewing the following documents as a start:

ISE BYOD Prescriptive Deployment Guide

BYOD Cisco Validated Design (an older document, but still relevant)

0 Helpful
Customers Also Viewed These Support Documents