cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1391
Views
20
Helpful
1
Replies

ISE - Allowed Protocols (TEAP) - Client Certificate Query

GRANT3779
Spotlight
Spotlight

Hi CSC,

 

I'm wondering if someone to clarify the option highlighted in the attachment.

 

When implementing TEAP with EAP-TLS inner method I want avoid the peer/client from sending its certificate details during the outer tunnel establishment so the phase 1 tunnel is based on server side certificate only. Is this the option below I need to have "unchecked" to achieve this? Or is there a windows supplicant side setting required also, e.g "Enable identity privacy"? Or both?
Basically I just want my EAP Peers (windows clients) to only ever send their certificates once the outer tunnel is established during phase 1 and not before.

 

Thanks

 

TEAP.JPG

1 Reply 1

poongarg
Cisco Employee
Cisco Employee

With "Enable Identity privacy" option enabled the user identity doesn't populate in the outer EAP identity, but it populates in the inner EAP identity.

Unchecking the "Accept client certificate during tunnel establishment" should be sufficient to prevent the ISE server to request for client certificate during outer TEAP tunnel establishment.