04-27-2024 05:08 AM
Hello Guys,
I need help to validate whether my understanding is correct.
I'm new to ISE, I know some rules but I can't progress with my client's problem.
1 - He has an AD, but there is no GPO policy for Wireless.
2 - There is a rule in ISe that first validates the machine, then the user, and if both match, it will be released to the corporate network.
If it doesn't match on the machine (client's domain), it receives a different vlan, and falls under the Byod rule.
To get around it without AD support, we tried to change the rules for TEAP, however, as there are many machines, we would have to do this via GPO, and the experts were unable to do so.
Doubts:
1 - Is there any way to validate the user and machine without a specific GPO for Wireless (802.1x)?
2 - If not, the team should create a GPO that installs the certificate on the machine, right? Then I would have to change my rule to TLS, is that right? But could you share some example/video on how I should configure this rule? I think that to authenticate the visitor's machine (if it doesn't have the certificate), I don't know if it would be the same rule, for example:
Rule 1:
AND: EAP-TLS
AND: AD
AND: Cerificate Subject - Common name Starts_With "string x, y, or z"
Result => VLAN Permit 56
And if you don't fall under this rule
Rule 2:
AND: Radius Called Stations ID (SSID)
AND:AD External to the client (domain user)
Result => Vlan Permit 57 (Byod Rule - User's own machine)
That makes sense?
Solved! Go to Solution.
04-29-2024 06:48 PM
TLS is certificate auth. If the device is a personal device and not enrolled in AD, it won’t get a certificate and will not be able to use EAP-TLS
04-29-2024 05:55 AM
1. You can manually configure all supplicants.
Sounds like an MDM would be a great use-case here. How are the machines managed? How are they secured? What is the use-case for allowing unmanaged machines onto the protected network?
A GPO (for Windows domain-joined devices) or an MDM would be the best scenario here.
04-29-2024 09:44 AM
Hi @ahollifield
I Hope you are well.
Thank you for the answer.
That's the issue, today there is no GPO for Wireless. No GPO, no machine certificate and no rule that reads the certificate parameter.
TEAP worked, however, the customer support team was unable to enable TEAP in a new GPO.
Regarding a Wireless GPO (TEAP), and with a certificate, would only configuring this TLS rule with a certificate be functional? In other words, TLS machines with the client's certificate matching the first rule, and those that are not from collaborators (outside the domain), would only validate the WiFi user when connecting to the network, would it simply work like that?
04-29-2024 04:11 PM
What issue did they have with GPO? TEAP configuration is supported in both InTune and GPO.
Yes it would, as long as they are issuing both user and machine certificates? If there is only a single certificate on the machine then there would be no value of using TEAP, just use EAP-TLS.
How would the "collaborators" receive a certificate though? Are you proposing using PEAP for those users? If so, PEAP is broken from an encryption standpoint. AD credentials should not be entered into unmanaged machines.
04-29-2024 04:17 PM
Hello @ahollifield
They informed that the TEAP option did not appear in the configuration, I shared some support links, but they gave up and informed that they will create a policy for TLS.
As there is no certificate, nor a Wireless policy in AD (GPO), PEAP is the normal authentication, which is why sometimes it works, and sometimes it doesn't.
I think that with the Wireless GPO and the adjustments to the rule to validate the certificate, I think it will work fine.
I just don't know if the certificate doesn't match and it's a personal machine, if the authentication will work? I need to study a little more what the new rule will be like with TLS + Certificate.
04-29-2024 06:48 PM
TLS is certificate auth. If the device is a personal device and not enrolled in AD, it won’t get a certificate and will not be able to use EAP-TLS
04-30-2024 01:47 AM
OK! I understand, so I need to think of a rule/network for third-party personal machines.
The visitor has Guest, which is configured as MAB, and third parties, who are registered in the user domain, I need to think of a rule for them. About how they will be able to access my client's environment.
Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide