02-10-2015 08:00 AM - edited 03-10-2019 10:26 PM
We are running ISE 1.3 tied to AD with WLC 7.6.130.0. Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP. We are just running PEAP. We have a mix of IOS, Android, and Windows 7/8 devices. IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue. Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication. This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only. This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity. The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication? I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list. Neither have helped. I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
Thank you for any help or ideas,
02-10-2015 11:05 AM
Hello John-
If you want to allow machine based authentication during the machine boot period and then user based authentications post the machine boot/login period then the supplicant should be configured to use "Machine or User Authentication"
Thank you for rating helpful posts!
02-10-2015 11:11 AM
Yes I agree. We have to manually set the wireless profile to user or computer authentication option. Windows devices are defaulting to computer authentication. Why is that? What within ISE is telling the windows machines to choose that option? In 1.2 it would default to user authentication option.
02-10-2015 01:36 PM
ISE does not instruct the device on how to authenticate on the network. The supplicant is what dictates how a device will try to authenticate on the network.
With that being said, are you saying that the supplicant is currently configured to perform "User and computer authentication" but the device still tries to perform machine ONLY authentication?
Thank you for rating helpful posts!
02-10-2015 02:00 PM
When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile. In that profile, 802.1x computer authentication option is chosen by windows. That has to be changed to computer or user for the machine to function correctly on the network.
On 1.2, this behavior was different. The Windows device would auto select user authentication by default. At other customer sites, windows devices auto select user authentication. This of course needs to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.
02-10-2015 03:52 PM
In general PEAP does not work well, when using zero configuration with Windows7/8, microsoft has changed some stuff in later hotfixes/sp, because it has gotten worse with time, it does however not have anything to do with ISE. Windows for some reason also does not like wildcard certs when doing PEAP, which i consider a bug, but i don't see it getting fixed either.
So about your problem, are you not using PC's that are domain joined?...because with a 802.1x wireless GPO your scenario is somewhat easier to achieve.
02-13-2015 08:37 AM
Yes I have run into the wildcard issue and had to swap over to a regular 3rd party cert.
I can look into the wireless GPO on the machine and user auth domain laptops. I was hoping for something a little cleaner for zero touch for machines for vendors and 1 off guys. I swear Windows7/8 behave differently on zero touch with ISE1.2 that they are with 1.3. Maybe there was a coincidental Microsoft change.
Also the provisioning of the native supplicant by ISE to the client appears to not change that particular setting on the end devices, so it requires a manual configuration change on each end device...I am about to lab up the GPO option.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide