Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4349
Views
15
Helpful
9
Replies

Implementing wired access control by certificate based authentication

Go to solution
CasualUser01
Level 1
Level 1

‎04-06-2022 02:39 AM - edited ‎04-06-2022 02:55 AM

Hello everyone,

 

in our company i would like to implement ciscoISE for the wired access control with certificate based authentication. My goal in the end is, that all clients who don't have the certificate of our CiscoISE Server only get a default VLAN with internet access only. For all the clients who have the certificate are granted with normal employee VLAN. A Catalyst Switch will be used as the authenticator in this example. I already read the "Cisco ISE Secure Wired Access Prescriptive Deployment Guide" but got a bit confused because i don't actually know what steps i need to follow in the guide and what steps would be unnecessary, for reaching my end goal. Any help would be appreciated.  

 

Kind regards

CasualUser01

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to CasualUser01

‎04-06-2022 06:56 AM

Use your AD Domain Controller to push the certs to the computers via GPO.  Once that is configured and you log in to the machine, the GPO will download the cert (can force it using gpupdate /force on the PC).  Once you reboot, the cert can be used for authentication.

You can find good resources here for ISE and Active Directory integration:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216120-ise-security-ecosystem-integration-guide.html#anc78

 

View solution in original post

9 Replies 9

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-06-2022 06:01 AM

I already read the "Cisco ISE Secure Wired Access Prescriptive Deployment Guide" but got a bit confused because i don't actually know what steps i need to follow in the guide and what steps would be unnecessary

-That guide will definitely assist with your journey and will hit on each component in the workflow.  Here are some (not all) items of consideration for design/deployment:

--What types of clients are in the environment? For Windows based, will you use native supplicant or NAM? 

--If using NAM, how will you deploy the AC modules to support this + respective profiles?

--If using Native, best bet is to rely on GPOs to push settings

--For certificate based authentication, are you talking about onboarding only computers via certs or do you want to perform user + computer cert auth; if both, you will need to research and look into eap-chaining;  eap-chaining can be accomplished with EAP-FAST (NAM supplicant) OR with later versions of ISE + Windows EAP-TEAP (native supp)

--How will clients enroll for identity certs? Does your enterprise have an internal PKI? If so, ADCS and GPOs for auto-enrollment will help make things simpler

--What type of external identity source will be in use? AD? 

--Are there clients in the environment that will require mab? Example, printers with no supp, etc. You will need ISE local endpoint groups to help here

I would recommend reviewing it again, reaching out to your Cisco reps for help, and checking online for tutorials (youtube/labminutes).

Here are additional docs that may help:

Cisco ISE & NAC Resources - Cisco Community

HTH!

 

Go to solution
CasualUser01
Level 1
Level 1
In response to Mike.Cifelli

‎04-06-2022 06:22 AM

Hi Mike,

 

thank you for your detailed answer! 

 

--What types of clients are in the environment? For Windows based, will you use native supplicant or NAM? 

It will be for Windows clients only for now and I will use native supplicant for that

 

--If using Native, best bet is to rely on GPOs to push settings

This sound good, as we are using an Active Directory as the external identity source

 

--For certificate based authentication, are you talking about onboarding only computers via certs or do you want to perform user ...

Exactly, i only want to onboard computers via certs and if they don´t have a cert, then just give them guest access in form of a specific VLAN (Internet access only)

 

--How will clients enroll for identity certs? Does your enterprise have an internal PKI? If so, ADCS and GPOs for auto-enrollment will help make things simpler VLAN (Internet only)

We don´t have an internal PKI yet, i thought that the we could roll out the machine certificates from the CISCO ISE server.

 

--Are there clients in the environment that will require mab?

There will be no clients which will need mab. Only Computers such as Notebooks.

 

 

Kind regards

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎04-06-2022 06:03 AM

First step is perform an assessment  on your network. Not all switches works with 802.1x. Also, you need to install clients certificates and this is not an easy task sometimes.

 

0 Helpful

Go to solution
CasualUser01
Level 1
Level 1
In response to Flavio Miranda

‎04-06-2022 06:25 AM

yea we will use a switch that is capable of 802.1x but the hard part will be installing and rolling out the client certificates as you said. I currently don´t know how it´s done with using the cisco ise. Any suggestions on how to implement it?

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to CasualUser01

‎04-06-2022 06:55 AM

There are some option here. You can do this by running a GPO to push the certicate to the machines. This is the most usuall.

But this is usually EUC job.  You can refer to the link:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy 

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to CasualUser01

‎04-06-2022 06:56 AM

Use your AD Domain Controller to push the certs to the computers via GPO.  Once that is configured and you log in to the machine, the GPO will download the cert (can force it using gpupdate /force on the PC).  Once you reboot, the cert can be used for authentication.

You can find good resources here for ISE and Active Directory integration:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216120-ise-security-ecosystem-integration-guide.html#anc78

 

Go to solution
CasualUser01
Level 1
Level 1
In response to Charlie Moreton

‎04-07-2022 02:29 PM

Hi Charlie,

 

thanks for your reply. After some research i found out that our company already has a root CA Certificate inside our Active Directory and it also assigns signed certificates to the clients, after they join our domain. My question would be if i can import that trusted root CA certificate of the AD to the ise server. Then my idea would be to use the already assigned machine certificates for the authentication against the ISE server. Is this somehow possible to do? It would be pretty good because then i would not have to create new Certificates for the clients.

 

kind regards

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to CasualUser01

‎04-07-2022 04:12 PM

Yes.  Configure EAP-TLS Authentication with ISE this is the doc to read and will show what needs to be done.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎04-07-2022 07:37 AM

See https://cs.co/ise-guides#EAP

 

 

0 Helpful
Customers Also Viewed These Support Documents