Solved: ISE and Windows Hello integration

mskjaldgaard · ‎05-26-2021

Hi,

We have a customer that currently is running with Anyconnect NAM for EAP chaining, using machine cert and user/pass.

All that is working fine with ISE.

Now the customer is very interested in using Windows Hello to login on their PCs, which presents a challenge as NAM no longer can get a username to pass for authentication.

Has anyone tried Windows Hello combined with ISE?

Will EAP chaining using NAM be the way to go, or will TEAP be a better way to solve this.

Any input is welcome.

Mike.Cifelli · ‎05-26-2021

Will EAP chaining using NAM be the way to go, or will TEAP be a better way to solve this.

-Not sure, but if switching to TEAP you should know that there are minimum reqs for Win and ISE versions in order to support TEAP. This should help: Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

View solution in original post

thomas · ‎05-26-2021

Windows Hello offer 2 types of underlying credentials : certificates or key pair.

For 802.1X, only certificates can be passed from the supplicant to ISE for authentication.

View solution in original post

Mike.Cifelli · ‎05-26-2021

Will EAP chaining using NAM be the way to go, or will TEAP be a better way to solve this.

-Not sure, but if switching to TEAP you should know that there are minimum reqs for Win and ISE versions in order to support TEAP. This should help: Using TEAP for EAP Chaining – Cisco ISE Tips, Tricks, and Lessons Learned (ise-support.com)

thomas · ‎05-26-2021

Windows Hello offer 2 types of underlying credentials : certificates or key pair.

For 802.1X, only certificates can be passed from the supplicant to ISE for authentication.