cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4034
Views
0
Helpful
11
Replies

ISE 2.2 EAP TLS wired

ivan.martin
Level 1
Level 1

Hi god afternoon my name is Ivan

I have two virtual ise in HA v2.2 in mode standalone. I need to implement dot1x (PEAP MSCHAP v2), mab, posture and remediation to 1600 computers (900 windows xp and 700 windows 10)  and 1600 users to wired network using any connect v4.4 like supplicant.

Cisco TAC tell me about a bug of microsoft windows 10 that explain the weakness to send the machine authentication and the workaround is use EAP TLS. I understand that EAP TLS use two certificates: 1 certificate to user and 1 certificate to machine.

My question is:

How can i create the certificates (machine and users) using the microsoft CA. Do I need a vendor to generate these certificates? Is possible to use the certificate has created from ISE and downloaded from Microsoft CA and installed in the machine?.

I need to create these certificates and use with ISE. Do you know is exists another bug to windows?

Regards, Ivan.

11 Replies 11

Francesco Molino
VIP Alumni
VIP Alumni

Hi Ivan

First of all I haven't done any full windows 10 ISE deployment. 

When talking about EAP-TLS doesn't necessarily means to authenticate machine and user certificate. You can if you want and this is called eap chaining and must use Cisco anyconnect, that you already have deployed. 

EAP-TLS names that you will authenticate a user or device but using either machine or user certificate. 

Usually, with Microsoft AD, if configuration is done, all machine members of this AD had already the workstation certificate. 

For user certificate, I would recommend to promote your ISE as subca from your Microsoft CA environment. Then ISE could generate, revoke,... Manage all users certificates. 

Once certificates deployed, you'll need to configure your anyconnect to authenticate with these certificates.

To configure Cisco anyconnect NAM module to use certificates, here is an example: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

Maybe, you can potentially face some bugs with Windows 10. However, deploy the latest patch and you should be able to handle that infrastructure with less bugs. You can also review release notes to make sure you won't face a specific issue in a specific situation. 

Hope I've answered your question.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hola Francisco

And... what happend with the machine certificate?. Do I need create another certificate or, can I use also the certificate (from self signing request) of the user?. 

I can not use eap chaining because i don't need eap fast, the policies in the ISE will work to authenticate both scenaries.

Regards.

I'm sorry but i don't understand your question. 

Your certificates user or machine aren't send signed because they'll be signed by your CA environment servers (subca and rootca). 

If you don't want to use eap-fast they you'll authenticate devices/users by using only one certificate (machine or user)

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hola buen dia

Lo que el ISE necesita son dos cosas: una es el certificado firmado que se origina con el apoyo del servidor Microsoft CA y otra es  el certificado Microsoft CA que es la relación de confianza para las estaciones de trabajo corporativas. A partir de ello se tienen dos opciones

Opción 1: dos plantillas de certificados uno para el usuario y otro para la computadora, los cuales generan ambos certificados respectivos para cada caso.

Opción 2: crear un plantilla y un certificado firmado por Microsoft CA para ambos usuarios y computadoras.

Con ello el ise trabajara con EAP TLS

Hello,

Do you know if there is a lab guide / design guide to deploy eap-tls (machine auth) with ise 2.2 as certificat authority (configuration, how to deploy certificate) ?

Thanks

Hi

Here is a Cisco link: http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html

You can take a look also on dcloud.cisco.com if there is still a lab. Otherwise, you maybe will be able to find some slides on ciscolive365.com.

thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello,

Thanks for your quick reply.

Unfortunately I already read the cisco doc, but it is not very explicit: it doesn't explain which certificates to download from ise for eap-tls machine, how to simply download or request them... It tells about using internal users but doesn't explain how to configure windows native supplicant...

Regards,

Let me found out if I can share some documentation I've made for customers. 

Otherwise did you look at labminutes? 

There're doing great video step but step. 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello,

I checked labminutes, but didn't find a video about ise 2.2 as CA.

The problem is that ISE 2.2 as CA is a new feature, and i think it's too early to find lab.

If you have any doc, I would be greatly interested :)

 

thanks

 

Hi,

I do not have any ISE 2.2 installed yet in my LAB or customer infrastructure. We're still running ISE 2.1 for the most recent clients.

I'll have a look if I can upgrade and let you know.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi

I reviewed the ISE 2.2 release note and honestly I don't see any big changes on the way it works since previous versions.

You can take a look on Lab Minutes and follow lab based on version 2.1.

This week I don't have time to perform an upgrade and test it.

Sorry for that.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question