Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
0
Helpful
1
Replies

EAP-TLS and EAP-PEAP Clients

Amit Singh2000
Level 1
Level 1

‎04-12-2013 04:30 AM - edited ‎03-10-2019 08:18 PM

Hi guys

I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.

Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
The endpoints are configured with a username and password. The credentials are created in ISE server.

I create a second policy for wired dot.1x with EAP - PEAP enabled

The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.

When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.

Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?

Thanks in advance.

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎04-13-2013 10:02 PM

Hi,

There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.

You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203

The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents