Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4012
Views
0
Helpful
11
Replies

ISE 2.2 EAP TLS wired

ivan.martin
Level 1
Level 1

‎03-17-2017 02:48 PM - edited ‎03-11-2019 12:33 AM

Hi god afternoon my name is Ivan

I have two virtual ise in HA v2.2 in mode standalone. I need to implement dot1x (PEAP MSCHAP v2), mab, posture and remediation to 1600 computers (900 windows xp and 700 windows 10)  and 1600 users to wired network using any connect v4.4 like supplicant.

Cisco TAC tell me about a bug of microsoft windows 10 that explain the weakness to send the machine authentication and the workaround is use EAP TLS. I understand that EAP TLS use two certificates: 1 certificate to user and 1 certificate to machine.

My question is:

How can i create the certificates (machine and users) using the microsoft CA. Do I need a vendor to generate these certificates? Is possible to use the certificate has created from ISE and downloaded from Microsoft CA and installed in the machine?.

I need to create these certificates and use with ISE. Do you know is exists another bug to windows?

Regards, Ivan.

Labels:
0 Helpful
11 Replies 11

Francesco Molino
VIP Alumni
VIP Alumni

‎03-17-2017 03:14 PM

Hi Ivan

First of all I haven't done any full windows 10 ISE deployment. 

When talking about EAP-TLS doesn't necessarily means to authenticate machine and user certificate. You can if you want and this is called eap chaining and must use Cisco anyconnect, that you already have deployed. 

EAP-TLS names that you will authenticate a user or device but using either machine or user certificate. 

Usually, with Microsoft AD, if configuration is done, all machine members of this AD had already the workstation certificate. 

For user certificate, I would recommend to promote your ISE as subca from your Microsoft CA environment. Then ISE could generate, revoke,... Manage all users certificates. 

Once certificates deployed, you'll need to configure your anyconnect to authenticate with these certificates.

To configure Cisco anyconnect NAM module to use certificates, here is an example: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

Maybe, you can potentially face some bugs with Windows 10. However, deploy the latest patch and you should be able to handle that infrastructure with less bugs. You can also review release notes to make sure you won't face a specific issue in a specific situation. 

Hope I've answered your question.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

ivan.martin
Level 1
Level 1
In response to Francesco Molino

‎03-17-2017 03:21 PM

Hola Francisco

And... what happend with the machine certificate?. Do I need create another certificate or, can I use also the certificate (from self signing request) of the user?. 

I can not use eap chaining because i don't need eap fast, the policies in the ISE will work to authenticate both scenaries.

Regards.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to ivan.martin

‎03-17-2017 04:10 PM

I'm sorry but i don't understand your question. 

Your certificates user or machine aren't send signed because they'll be signed by your CA environment servers (subca and rootca). 

If you don't want to use eap-fast they you'll authenticate devices/users by using only one certificate (machine or user)

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

ivan.martin
Level 1
Level 1
In response to Francesco Molino

‎04-10-2017 08:22 AM

Hola buen dia

Lo que el ISE necesita son dos cosas: una es el certificado firmado que se origina con el apoyo del servidor Microsoft CA y otra es  el certificado Microsoft CA que es la relación de confianza para las estaciones de trabajo corporativas. A partir de ello se tienen dos opciones

Opción 1: dos plantillas de certificados uno para el usuario y otro para la computadora, los cuales generan ambos certificados respectivos para cada caso.

Opción 2: crear un plantilla y un certificado firmado por Microsoft CA para ambos usuarios y computadoras.

Con ello el ise trabajara con EAP TLS

0 Helpful

GERALD LECAILLIER
Level 1
Level 1
In response to Francesco Molino

‎04-04-2017 08:26 AM

Hello,

Do you know if there is a lab guide / design guide to deploy eap-tls (machine auth) with ise 2.2 as certificat authority (configuration, how to deploy certificate) ?

Thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to GERALD LECAILLIER

‎04-04-2017 05:31 PM

Hi

Here is a Cisco link: http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html

You can take a look also on dcloud.cisco.com if there is still a lab. Otherwise, you maybe will be able to find some slides on ciscolive365.com.

thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

GERALD LECAILLIER
Level 1
Level 1
In response to Francesco Molino

‎04-05-2017 06:28 AM

Hello,

Thanks for your quick reply.

Unfortunately I already read the cisco doc, but it is not very explicit: it doesn't explain which certificates to download from ise for eap-tls machine, how to simply download or request them... It tells about using internal users but doesn't explain how to configure windows native supplicant...

Regards,

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to GERALD LECAILLIER

‎04-05-2017 09:00 AM

Let me found out if I can share some documentation I've made for customers. 

Otherwise did you look at labminutes? 

There're doing great video step but step. 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

GERALD LECAILLIER
Level 1
Level 1
In response to Francesco Molino

‎04-10-2017 12:23 AM

Hello,

I checked labminutes, but didn't find a video about ise 2.2 as CA.

The problem is that ISE 2.2 as CA is a new feature, and i think it's too early to find lab.

If you have any doc, I would be greatly interested :)

 

thanks

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to GERALD LECAILLIER

‎04-10-2017 04:58 AM

Hi,

I do not have any ISE 2.2 installed yet in my LAB or customer infrastructure. We're still running ISE 2.1 for the most recent clients.

I'll have a look if I can upgrade and let you know.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to GERALD LECAILLIER

‎04-11-2017 05:00 AM

Hi

I reviewed the ISE 2.2 release note and honestly I don't see any big changes on the way it works since previous versions.

You can take a look on Lab Minutes and follow lab based on version 2.1.

This week I don't have time to perform an upgrade and test it.

Sorry for that.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents