03-03-2014 08:13 AM - edited 03-10-2019 09:28 PM
I suspect I know the answer to this, but thought that I would throw it out there anway...
With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card authentication simultaneously for wired/wireless clients (specifically Windows 7/8, but Linux or OSX would also be good). I can find plenty of information regarding 802.1x machine authentication (EAP-TLS) and user password authentication (PEAP), but none about dual EAP-TLS authentication using certificates for machines and users at the same time. I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end. For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other. Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.
Solved! Go to Solution.
03-03-2014 10:00 AM
Hope this video link will help you
http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls
03-03-2014 10:00 AM
Hope this video link will help you
http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls
10-24-2018 11:34 AM
I am facing this same dilemma. The labminutes video is good, but doesn't cover this case. In the video, both the user and machine certs are on the machine. The OP was asking about PIV card login for user and machine certs (on the machine) for the computer. Does anyone have a solve for this that uses the Windows Native Supplicant?
10-25-2018 03:37 PM
AFAIK it should work as long as the smart card driver/software/firmware installed properly and the profile configured properly. Perhaps, these would help you:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide