03-17-2016 03:33 AM - edited 03-10-2019 11:35 PM
Hello guys,
i have a problem and i still don´t have any idea to solve it.
My setup is an EAP-TLS SSID where i want to authenticate Corporate Laptops (cert via AD), BYODs (cert via ISE onboarding) and Mobile (cert via MDM).
I not only want to check if the cert is valid i also want to check for the corporate laptops and the byods if the user which requested the certificate is active in the active directory. I don´t want to use EAP-Chaining since we don´t have anyconnect enrolled. I think the solution would be the feature binary comparison, don´t it?
The problem here is that with the Mobiles which gets the certs via MDM i am not able to do a binary comparison.
Does anyone have a solution for my issue?
Generally i need another check instead of only checking of the cert is valid or not.
I also tried Certificate Template Name but there is a bug with makes it not possible to use this features.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut15412/?referring_site=bugquickviewredir
Does anyone have any idea?
Greetings
Philip
03-21-2016 06:41 AM
I don't think this will work, because
a) You're stating that machine certs are used. How should the ISE know the user who requested the cert. Especially if the cert is enrolled via AD, no user requested it, right? Normally the certificate is pushed via GPO during AD join.
b) For the MDM stuff ... there is no info in the certificate about the user who requested the cert, right?
03-21-2016 07:21 PM
One way you could do this is by combining EAP-TLS with Central Web Auth (CWA). You can create a rule where if the certificate is MDM based then the Authorization Profile would be CWA. There the user will be asked to provide their AD username/password.
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide