cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

221
Views
0
Helpful
1
Replies
Highlighted
Enthusiast

ISE does not see the local machine cert...

I'm having issues with trying to configure ISE to do the following for wireless PCs:

1) Authenticate a windows machine using the client cert from a CA server.  (These are resources owned by me. 

2) Authenticate the user via AD.. 

I've tested user authentication via AD and it works.. 
I've configured a policy that says, "If connecting to wlan "x"  AND has a certificate with the "issuer" filled in with "acme.root-ca1" AND user ID group is "AD" with field "Domain Users",   Then allow...  

I've configured a Cert Profile, AD, etc.. but nothing seems to be working...   Any help would greatly be appreciated.. 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Collaborator

If you are using the built-in Microsoft supplicant, then the machine can only be in either the machine state or the user state.  It will never send both machine credentials AND user credentials in the same request.  When a machine boots up and before someone logs in, it will be in the machine state and will send machine credentials.  Once someone logs in, it switches to user state and sends user credentials.  There is no way to tie those two together in the same authentication request unless you do EAP-Chaining, which requires EAP-FAST and the Anyconnect NAM supplicant.

View solution in original post

1 REPLY 1
Highlighted
VIP Collaborator

If you are using the built-in Microsoft supplicant, then the machine can only be in either the machine state or the user state.  It will never send both machine credentials AND user credentials in the same request.  When a machine boots up and before someone logs in, it will be in the machine state and will send machine credentials.  Once someone logs in, it switches to user state and sends user credentials.  There is no way to tie those two together in the same authentication request unless you do EAP-Chaining, which requires EAP-FAST and the Anyconnect NAM supplicant.

View solution in original post

Content for Community-Ad