cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
728
Views
0
Helpful
1
Replies

EAP-PEAP - AD Root CA issue

illusion_rox
Level 1
Level 1

Dear Experts,

 

One of my customer wants to achieve the following use ISE

 When a domain user connects to SSID from a workgroup machine (non domain), it should only be able to connect if it has root CA of AD installed.

 

I am not sure if this is even possible? I am sure he asked about doing it via EAP-PEAP.

 

Now coming to second possible case, is it doable via EAP-TLS. In EAP-TLS my concern is, how will the user get the certificate from AD CS on a workgroup machine?

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

With PEAP, the supplicant configuration determines if the client is required to trust the identity certificate presented by the server (ISE, in this case). If the supplicant is not configured for 'Verify the server's identity by validating the certificate' then the client will accept any server certificate for PEAP authentication. ISE has no control over the native supplicant, so there is no way to enforce this on a Windows device that is not managed by an MDM or Domain Policy.

 

With EAP-TLS, the server must trust the client certificate so the client would have to present a certificate that was signed by a CA trust chain that exists in the ISE Trusted Certificates store. The supplicant setting for 'Verify the server's identity by validating the certificate' can still be disabled on an unmanaged client.

If using EAP-TLS, you would still have to work out how the unmanaged client would be provisioned with a certificate. This is essentially a BYOD use case, so I would suggest reviewing the following documents as a start:

ISE BYOD Prescriptive Deployment Guide

BYOD Cisco Validated Design (an older document, but still relevant)

View solution in original post

1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

With PEAP, the supplicant configuration determines if the client is required to trust the identity certificate presented by the server (ISE, in this case). If the supplicant is not configured for 'Verify the server's identity by validating the certificate' then the client will accept any server certificate for PEAP authentication. ISE has no control over the native supplicant, so there is no way to enforce this on a Windows device that is not managed by an MDM or Domain Policy.

 

With EAP-TLS, the server must trust the client certificate so the client would have to present a certificate that was signed by a CA trust chain that exists in the ISE Trusted Certificates store. The supplicant setting for 'Verify the server's identity by validating the certificate' can still be disabled on an unmanaged client.

If using EAP-TLS, you would still have to work out how the unmanaged client would be provisioned with a certificate. This is essentially a BYOD use case, so I would suggest reviewing the following documents as a start:

ISE BYOD Prescriptive Deployment Guide

BYOD Cisco Validated Design (an older document, but still relevant)