Solved: EAP TLS in closed mode, solutions for first time log in

esuarez · ‎04-04-2017

Hi group,

I’m working on a new ISE deploy using EAP TLS for user authentication, all is working as expected. We are trying to look at migrating to Closed Mode phase, but we are coming to a type of chicken and the eggs issues for Closed Mode for when new windows computers will be deployed that they don’t have yet user certificate. We are looking at some possible solutions and I wonder if I’m missing other ways to get the user certificate on a brand new computer.

Here is the options we are thinking:

· Create an authorization rule that will allow temporary network access if endpoint MAC address is member of specific Endpoint Identity group. Create a RBAC that will allow the team that build new windows computer to access ISE so they can map endpoint MAC address to that group and once the machine is finished (added to domain and with user cert) they can remove the mapping from ISE. (Will works but need manual intervention)

· Create an authorization rule that all windows computers doing MAB will get an authorization profile that will allow some access like DHCP, DNS, AD so they can get certificate via GPO. (will work but will open too much network access to all failed computers)

· Disable NAC on specific port where the new computers will be deployed. (This will work providing security will be OK with it)

Have you come to this problem in the past? What solution you used?

Thanks in advance

Eduardo

paul · ‎04-05-2017

The computer cert should be put on during the build/rebuild process. As long as you have an option to handle the build process you really shouldn’t run into issues with the computer cert. As soon as the system is joined to the domain during build they should autoenroll for a computer cert.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

gbekmezi-DD · ‎04-04-2017

If you can control the environment enough to not need option 2 then maybe consider option 4. Use the API to add and remove the endpoint (or reassign it after provisioned):

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/api_ref_guide/api_ref_book/ise_api_ref_ers2.html#pgfId-1115364

https://communities.cisco.com/docs/DOC-66297

George

paul · ‎04-04-2017

Yep this is a known issue for sure. Are you using Native supplicants? The Windows single sign-on settings in the native supplicant are supposed to handle this by delaying the transition to user mode, but I haven't played around with it much. I just had a client using AnyConnect NAM that had this issue and I asked them and their security department do they have a driving need to transition to user mode. The security department like many of my installs said no we just want to know the asset is ours which the computer certificate shows. So we just chose to stay at computer auth only.

Most of my installs are computer auth only. Of course with all the peripheral products tying into ISE with pxGrid wanting user information this will be changing.

esuarez · ‎04-05-2017

Hi Paul, yes we are using windows native supplicants. What you mentioned regarding the single sign on and the delay, is a good idea, I will give it a try, I think this can fix half of my problems (at least the biggest one) for user cert. I will still need to find a way to put machine cert the very first time, but at least for users I think this can be good solution. Thanks a lot

paul · ‎04-05-2017

The computer cert should be put on during the build/rebuild process. As long as you have an option to handle the build process you really shouldn’t run into issues with the computer cert. As soon as the system is joined to the domain during build they should autoenroll for a computer cert.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250