Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
0
Helpful
1
Replies

ISE 2.3 802.1x configuration

atif.mohamed
Level 1
Level 1

‎09-02-2020 01:39 PM

Hi,

 

We have a working solution for wireless 802.1x users where the users authenticate via cert, now the new requirement is for mobile users that would be managed by MDM, the MDM is not integrated with the ISE, the MDM will push the user cert on the phones and they will authenticate via ISE. My questions are:

 

1. For Laptops i understand they are part of Domain/Computers, but mobile phones are not so how do we configure the policy in this case.

2. What is the best way to design in my case where the MDM pushes the user cert, MDM is not part of domain but it certainly does fetch the cert and install on the user Phones.

 

Thanks.

Atif

@Oliver Laue @Sandeep Choudhary @Arne Bier 

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎09-02-2020 03:01 PM

Hi @atif.mohamed 

 

That's quite straightforward. You need to inspect the certificate that the MDM has pushed to the client, and then ensure that ISE contains the Root CA, and any intermediate CA certs that were used by the MDM in creating that cert. Put those CA certs into ISE's Trusted Certificates section. That will ensure that ISE will trust the certs that are coming from clients during EAP-TLS.

For the Policy part of the configuration, you need to consider Authentication and Authorization

Authentication: Is there an identity element in the cert that you can (or want to) use to lookup the user in AD (for example)? Let's say the client cert contains a Subject Common Name that resembles a valid AD user's UPN. If you want to perform Authentication, then you can create a cert profile in ISE that will do just that. But it's optional. You do not need to perform Authentication against an external identity source. A client that presents a cryptographically valid cert is sufficient enough for AuthN.

Authorization: This is where you look deeper into the cert and look for a distinguisher (e.g. Certificate Issuer) to decide what to do with this client. If Issuer Contains "Meraki MDM" (or whatever) then put this user in the BYOD VLAN and apply ACL etc. There are no hard and fast rules - look at the client cert and then create an AuthZ policy that will 100% match that cert as a BYOD user.

 

Hope that helps.

Now the Policy part is

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents