04-12-2013 04:30 AM - edited 03-10-2019 08:18 PM
Hi guys
I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
The endpoints are configured with a username and password. The credentials are created in ISE server.
I create a second policy for wired dot.1x with EAP - PEAP enabled
The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
Thanks in advance.
Sent from Cisco Technical Support iPad App
04-13-2013 10:02 PM
Hi,
There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide