Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
0
Helpful
1
Replies

ISE and 802.1x - Retrieve User Cert from AD for Auth without it being in the Personal Store?

styoung01
Level 1
Level 1

‎02-06-2015 06:37 PM - edited ‎03-10-2019 10:25 PM

Hello,

We are implementing 802.1x EAP-TLS wired at the moment with Cisco ISE, and wireless is to come after that, along with our internal PKI.  I set up the PKI, and our network engineer is setting up the ISE.  We currently have it set to first authenticate the computers with a computer certificate (allowing access to AD, among some other things), and then further authenticate the users with user certificates.

I don't have much knowledge of Cisco ISE, and plan to learn as we go, but I'm wondering:

Is it possible to authenticate the computer via the computer certificate, getting access to AD, and then have the ISE check AD for the User certificate INSTEAD of the User certificate being in the local Personal store of the client computer?  We have autoenrollment going for user certificates, but it seems to be cumbersome (in thought) that once 802.1x is enabled, a new computer/employee coming on the network has to first go to an unauthenticated port to be able to download the User certificate in the Personal store, before then being able to use an 802.1x port?

I guess that makes two questions:

1) Can ISE pull the user cert from AD, without needing it in the local Personal store?

2) What's the easiest way to handle new computers/users that don't already have the User cert in their local Personal store once 802.1x is enabled?

1 person had this problem
Labels:
0 Helpful
1 Reply 1

jan.nielsen
Level 7
Level 7

‎02-07-2015 05:12 PM

1)No

2)Use EAP-Chaining with EAP-TLS and PEAP

For this scenario, i would go with Cisco AnyConnect NAM, and then use EAP-Chaining, with EAP-TLS for machine auth, and then PEAP for user authentication. This way you can make sure that both the machine and the user is authenticated, and more importantly, that a user can not get on the network with their user identity only and no machine identity. Using windows own supplicant for this, gives no garantee that the user has logged in from an authenticated machine. The feature that used to be used for this before EAP-Chaining was introduced, is called MAR, and has many problems, making it almost useless in a corporate environment. Security wise, the PEAP-MSCHAPV2 is tunneled in EAP-FAST and does not have the same security issues as regular PEAP.

0 Helpful
Customers Also Viewed These Support Documents