One way you could do this is

Philip91 · ‎03-17-2016

Hello guys,

i have a problem and i still don´t have any idea to solve it.

My setup is an EAP-TLS SSID where i want to authenticate Corporate Laptops (cert via AD), BYODs (cert via ISE onboarding) and Mobile (cert via MDM).

I not only want to check if the cert is valid i also want to check for the corporate laptops and the byods if the user which requested the certificate is active in the active directory. I don´t want to use EAP-Chaining since we don´t have anyconnect enrolled. I think the solution would be the feature binary comparison, don´t it?

The problem here is that with the Mobiles which gets the certs via MDM i am not able to do a binary comparison.

Does anyone have a solution for my issue?

Generally i need another check instead of only checking of the cert is valid or not.

I also tried Certificate Template Name but there is a bug with makes it not possible to use this features.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut15412/?referring_site=bugquickviewredir

Does anyone have any idea?

Greetings

Philip

Johannes Luther · ‎03-21-2016

I don't think this will work, because

a) You're stating that machine certs are used. How should the ISE know the user who requested the cert. Especially if the cert is enrolled via AD, no user requested it, right? Normally the certificate is pushed via GPO during AD join.

b) For the MDM stuff ... there is no info in the certificate about the user who requested the cert, right?

nspasov · ‎03-21-2016

One way you could do this is by combining EAP-TLS with Central Web Auth (CWA). You can create a rule where if the certificate is MDM based then the Authorization Profile would be CWA. There the user will be asked to provide their AD username/password.

Thank you for rating helpful posts!

EAP-TLS with additional check