04-03-2014 01:14 PM - edited 03-10-2019 09:36 PM
I have been reading the Cisco ISE for BYOD and trying to create an Authentication Policy for EAP-TLS. When I build the new policy and add a new condition, then go to Network Access, EAPAuthentication is not an option. So I went to policy element and created a new Authentication, Compond condition and added it to the library. When I try to add it to my Authentication Policy it doesnt allow me to chose it and says only relevant conditions are selectable. Am I missing a step somewhere?
Any help is greatly appreciated and thanks in advance!
Solved! Go to Solution.
04-03-2014 11:04 PM
Hi,
If you want to use a different identity store for BYOD devices, all you have to do is edit the default dot1x rule, and add a condition above you default condition/identity store.
Add an attribute value of Certificate - SAN/Issuer, etc, depending on what's your differentiator between BYOD devices and corporate asset.
Please see attached printscreen.
04-03-2014 11:04 PM
Hi,
If you want to use a different identity store for BYOD devices, all you have to do is edit the default dot1x rule, and add a condition above you default condition/identity store.
Add an attribute value of Certificate - SAN/Issuer, etc, depending on what's your differentiator between BYOD devices and corporate asset.
Please see attached printscreen.
04-04-2014 05:50 AM
Thanks that's what I needed thanks. I was closing out of my current policy and inserting a new above the default. Now I need to get my certs working with my phone and ISE. Currently, we are using packetfence and Mobil iron which issues the certs during registration - still working with security team to see how this is done. When I look at the certs on my phone I can see the root certs, but when I create a SSID and chose a cert the root isnt an option. Any ideas how I can connect using a new ssid with the root certs on my phone?
08-27-2014 04:03 AM
Hi Bret,
EAP-TLS does not mean that you're using your root CA certificates to connect to the network. You're using instead a machine or user certificate signed by your CA.
The CA's certificate provides the means to check one's presented certificate. Is the same thing with your ID. Somebody did some checks on you (the authorities) and guarantees that you are who you claim to be.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide