Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1538
Views
1
Helpful
6
Replies

How to carry out authentication with EAP-TLS for multiple domains ?

tonyang
Level 1
Level 1

‎04-23-2023 12:26 AM

We have one domain "abc.dctst.com" and it's part of the forest "dctst.com", now we're using EAP-TLS to carry out Wireless network authentication for the users who are under the domain "abc.dctst.com". And there are several domains under same forest, such as "def.dctst.com", "ghi.dctst.com". How to carry out Wireless network authentication for the users who are under the domain "def.dctst.com" and "ghi.dctst.com"?

 

 

0 Helpful
6 Replies 6

Nancy Saini
Cisco Employee
Cisco Employee

‎04-23-2023 01:22 AM

There are 2 ways to achieve this:

1.  Either there should be 2 way trust between domain "def.dctst.com" and "ghi.dctst.com". Join ISE to one domain join point (either def.dctst.com or ghi.dctst.com)

2.  Join ISE to both domain (def.dctst.com and ghi.dctst.com join point.

Reference : https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html

0 Helpful

tonyang
Level 1
Level 1
In response to Nancy Saini

‎04-23-2023 01:38 AM

Thanks for your reply, Nancy.

Actually, all ISE nodes have been joined into the domain "abc.dctst.com". In the allowed domains "ISE 3.1", I could see both the domain "def.dctst.com" and the domain "ghi.dctst.com" in the lists. Since different domains have different root and intermediate certificates, I just import the root and intermediate certificates of the domain "abc.dctst.com" into ISE instance. Shall I need to import the root and intermediate certificates of the domain "def.dctst.com" and "ghi.dctst.com" into ISE instance?

CA for the domain "abc.dctst.com".
ABC Level 1 CA
ABC Level 2 CA
ABC Level 3 CA
...

CA for the domain "def.dctst.com".
DEF Level 1 CA
DEF Level 2 CA
DEF Level 3 CA
...

CA for the domain "ghi.dctst.com".
GHI Level 1 CA
GHI Level 2 CA
GHI Level 3 CA
...

0 Helpful

Nancy Saini
Cisco Employee
Cisco Employee
In response to tonyang

‎04-23-2023 11:21 AM

For ISE to be connected with Active Directory, below are the pre-requisities

  • Ensure you have Active Directory Domain Admin credentials, required to make changes to any of the AD domain configurations.

  • Ensure you have the privileges of a Super Admin or System Admin in Cisco ISE.

  • Use the Network Time Protocol (NTP) server settings to synchronize the time between the Cisco ISE server and Active Directory. You can configure NTP settings from Cisco ISE CLI.

  • Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. If you want to query other domains from a specific join point, ensure that trust relationships exist between the join point and the other domains that have user and machine information to which you need access. If trust relationships does not exist, you must create another join point to the untrusted domain. For more information on establishing trust relationships, refer to Microsoft Active Directory documentation.

  • You must have at least one global catalog server operational and accessible by Cisco ISE, in the domain to which you are joining Cisco ISE.

There is no requirement of Active Directory certificates to be imported on ISE.

However, for dot1x authentication with ISE, ensure that intermediate and root certificate of client is trusted by ISE.

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Nancy Saini

‎04-25-2023 03:30 PM

@tonyang , just to add to the information @Nancy Saini has provided...

EAP-TLS requires mutual authentication between the client and the server. The server (in this case ISE) needs to trust the certificate presented by the client, and the client needs to trust the certificate presented by the server.

The ISE nodes only support a single certificate used for EAP. If the ISE EAP certificate is signed by the CA chain for the 'abc' domain, that is the certificate it will present to the client during the EAP-TLS handshake. As such, the client must have the 'abc' root chain installed in its trust store and the suppliant configured to trust that Root CA for 802.1x, regardless of whether the client is a member of 'def' or 'ghi' domains.

If you have clients using certificates signed by the 'def' and 'ghi' CA chains for 802.1x, then those root chains must also be installed in the ISE Trusted Certificates store.

0 Helpful

tonyang
Level 1
Level 1
In response to Greg Gibbs

‎04-27-2023 07:55 PM

Thanks for your information, Greg.

The client had both the domain 'abc' root chain and the domain 'def' and 'ghi' root chain installed its trust store. But the clients are only a member of "abd" domain and no issue indentified on 802.1x authenticaiton.

The scenario is to carry out 802.1x authenticaiton for the domain 'def' and 'ghi' by same ISE environment. Sall I need to import the root and intermediate certificates into ISE "Trused Certificates" ? What I mean is the DEF Level 1 CA/DEF Level 2 CA/DEF Level 3 CA...

CA for the domain "def.dctst.com".
DEF Level 1 CA
DEF Level 2 CA
DEF Level 3 CA

0 Helpful

sureshot
Cisco Employee
Cisco Employee
In response to tonyang

‎12-14-2023 01:47 AM - edited ‎12-14-2023 01:47 AM

Yes, If the ISE system certificate that you import is signed by an external CA, import the relevant root CA and intermediate CA certificates into the Trusted Certificates store (Administration > System > Certificates > Trusted Certificates) on ISE, so that ISE can trust client certs signed by those respective CAs.

0 Helpful
Customers Also Viewed These Support Documents