Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1390
Views
20
Helpful
1
Replies

ISE - Allowed Protocols (TEAP) - Client Certificate Query

GRANT3779
Spotlight
Spotlight

‎10-08-2021 03:33 AM

Hi CSC,

 

I'm wondering if someone to clarify the option highlighted in the attachment.

 

When implementing TEAP with EAP-TLS inner method I want avoid the peer/client from sending its certificate details during the outer tunnel establishment so the phase 1 tunnel is based on server side certificate only. Is this the option below I need to have "unchecked" to achieve this? Or is there a windows supplicant side setting required also, e.g "Enable identity privacy"? Or both?
Basically I just want my EAP Peers (windows clients) to only ever send their certificates once the outer tunnel is established during phase 1 and not before.

 

Thanks

 

TEAP.JPG

1 Reply 1

poongarg
Cisco Employee
Cisco Employee

‎10-09-2021 09:39 PM

With "Enable Identity privacy" option enabled the user identity doesn't populate in the outer EAP identity, but it populates in the inner EAP identity.

Unchecking the "Accept client certificate during tunnel establishment" should be sufficient to prevent the ISE server to request for client certificate during outer TEAP tunnel establishment.

Customers Also Viewed These Support Documents