Showing results for 
Search instead for 
Did you mean: 

ISE Certificate based authentication

Richard Lucht

I have been working with ISE for a few weeks now.  The main thing I worked on was getting the secondary up and synced with the primary.  Then I worked on getting some policies in place to access various vendors or networking gear.  My next project is to set up certificate based authentication for wireless and wired clients.


I am more interested in getting the wireless portion up and running first.  I have a task to get windows machines running Windows 10 to connect to a wifi network with the use of a username or password.  The main goal is to use certs, I am also open to putting the PCs in a Domain group and using that to authenticate.  I have ISE 2.3, with a WLAN Controller 8.2  , for testing I will use a cert that is already issued form our CA.  

If anyone has done this I would greatly appreciate the help.  I am looking for steps or at least a direction to take this.

4 Replies 4

Rahul Govindan

Not sure if there exists a document or guide to do this with ISE 2.3. You may refer some of the below blogs and videos to get you started with an older ISE version:


For ISE 2.3, you may want to refer to the changes in how the policy sets/rules are constructed. The following guide may help:


P.S: Credit goes to the original authors of the guides/videos.





I have the same problem, did u solved it ?

VIP Advisor VIP Advisor
VIP Advisor
A few things you will want to consider while working towards accomplishing your end goal:
Are you going to use the windows native supplicant to work with 8021x for certificate authentication?
If so, you can use GPOs to configure the supplicant of domain joined hosts. Also, within these GPOs configure PKI auto-enrollment to automate the process of certificate deployment. I assume in this scenario you would use PEAP (eap-tls).
Are you planning to authenticate just the host (computer) or is there a desire to implement user + computer certificate authentication?
If there is a desire to require authentication of both then I suggest you should use Cisco AnyConnect NAM module. This will allow you to use eap-fast which utilizes eap-chaining of both user + computer authentication. As far as I know windows OS native supplicant does not support eap-fast nor the industry standard eap-teap that supports eap-chaining.
Determine if you will require any hosts in your environment to fallback and authenticate via mab. For example, maybe you have printers that do not support certificate auth. This will assist you in your policy set build out since you would need to build out endpoint identity groups with the respective mac addresses.
In my experience utilizing several conditions in your authorization policies tends to provide more requirements therefore making it more secure. Using AD security groups is typically a common condition that a lot of deployments use so your idea is a good one.


Hi Richard,

I have deployed Wireless 802.1x with EAP-TLS successfully (Certificate authentication) in my company.
I can assist you:
1- you need to have the CA-Cert that signed the Clients in the ISE certificate trusted store (use for eap-authentication).
2- I presume you also created an ISE identity certificate that by a CA that the PCs have the Cert in the trusted root CA store.
3- you need to create a Cert Auth Profile (CAP) (that normally points to the Subject CN field in the certificate) with Active directory lookup.
like this when the PC tries to connect it will present the CN value that will be checked in AD this means that the user exists.
4- Create Authc policy set pointing to the WLC devices NAD and wireless 802.1X with allowed protocol = EAP-TLS to tighten the security.
5- Create AuthC rule that says the following:
if Certificate issuer common name eq X then use the CAP created earlier.
6- Create authz rule that says the following:
if Raduis-called station ID eq "your SSID" AND Certificate issuer common name eq X Then apply Authz profile
- The authZ profile can have an a VLAN and/or DACL to push to the connected client.
7- On the WLC you need to create ISE as radius with WPA2-Enterprise Authentication type for EAP-TLS and assign it to the Wireless Profile you want to use.
8- on the PCs you have to create a Wireless Profile using wPA2-Enterprise AES
Microsoft smartcard of certificate with user authentication.
Of course you can do things differently as the above and be more granular in your policies.
This was a general idea :)

Please rate if helpfull

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers