Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1724
Views
0
Helpful
2
Replies

ISE and EAP-TLS + EAP-MD5

Go to solution
support-reseaux-filiales
Level 1
Level 1

‎09-02-2016 06:44 AM - edited ‎03-11-2019 12:03 AM

Dear all,

 

I've issue with Cisco ISE 2.0.1.130.

All computers are joined to the Active Direcory domain (2008 2), and I make authentication for all devices (Cisco IP phones and Windows computers and for printers).

 

I’ve issue with Cisco ISE because I’ve 3 rules on my authentication policy :

  • Printers : MAB
  • IP Phones : EAP-MD5
  • Computers : EAP-TLS

 


My problem is that when I add rules EAP-MD5 + EAP-TLS it’s not working:

  • EAP-MD5 at the first and EAP-TLS at the second place

Result: my IP phones are working but my computers are not working because my computers try to authenticate with eap-md5 and not eap-tls

 

  • EAP-TLS at the first and EAP-MD5 at the second place

Result: my IP phones are not working but my computers are working because my IP Phones try to authenticate with eap-tls and not eap-md5.


My rules :

  • EAP-MD5-CiscoPhones => Wired_802.1X => Allowed protocol : EAP-MD5 => internal Users
  • EAP-TLS CiscoPhones => Wired_802.1X => Allowed protocol : EAP-TLS => Authentication with Certificate in AD

authentication_policy.jpg

authentication policy

And the result :

result.jpg

result

As you can see the computer is not authenticated and not used EAP-TLS.

Have you any idea to solved the issue ?

Thanks in advance for your help.

Best regard

Labels:
Preview file
53 KB
Preview file
71 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7

‎09-03-2016 11:48 AM

Your computers are ending up in the phone authentication rule, because you only use wired_dot1x as your condition for what will matche the rule. Instead you need to have one authentication rule, and then allow both EAP-MD5 and EAP-TLS in that rule, then use a identity source sequence, to select the identity stores you wan't to look in (internal user, ad, and so on). The Allowed protocols setting is not used to select the rule its the result of the conditions.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jan.nielsen
Level 7
Level 7

‎09-03-2016 11:48 AM

Your computers are ending up in the phone authentication rule, because you only use wired_dot1x as your condition for what will matche the rule. Instead you need to have one authentication rule, and then allow both EAP-MD5 and EAP-TLS in that rule, then use a identity source sequence, to select the identity stores you wan't to look in (internal user, ad, and so on). The Allowed protocols setting is not used to select the rule its the result of the conditions.

0 Helpful

Go to solution
support-reseaux-filiales
Level 1
Level 1
In response to jan.nielsen

‎09-05-2016 06:04 AM

Hello,

thanks i just add an radius attribute on my Authentication Compound Conditions .

Thnaks again.

0 Helpful
Customers Also Viewed These Support Documents