Solved: Re: ISE 802.1x EAP-TLS machine and smart card authentication

ryanhitch · ‎03-03-2014

I suspect I know the answer to this, but thought that I would throw it out there anway...

With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card authentication simultaneously for wired/wireless clients (specifically Windows 7/8, but Linux or OSX would also be good). I can find plenty of information regarding 802.1x machine authentication (EAP-TLS) and user password authentication (PEAP), but none about dual EAP-TLS authentication using certificates for machines and users at the same time. I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end. For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other. Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

Ravi Singh · ‎03-03-2014

Hope this video link will help you

http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

View solution in original post

Ravi Singh · ‎03-03-2014

Hope this video link will help you

http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

aamilbur · ‎10-24-2018

I am facing this same dilemma. The labminutes video is good, but doesn't cover this case. In the video, both the user and machine certs are on the machine. The OP was asking about PIV card login for user and machine certs (on the machine) for the computer. Does anyone have a solve for this that uses the Windows Native Supplicant?

hslai · ‎10-25-2018

AFAIK it should work as long as the smart card driver/software/firmware installed properly and the profile configured properly. Perhaps, these would help you: