cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1576
Views
0
Helpful
4
Replies

ISE dot1x machine authentication

Greg W
Level 1
Level 1

All,

 

I have a situation where my customer wants to do dot1x machine authentication, but the corporate machines don't (and won't) have certificates signed by their root/intermediate CAs, which signed the ISE certs. The reason is that their CA issues server certs, but not workstation certs. I'm not crazy about it, but it is what it is. What is the best method here, then?

 

Another requirement (or at least strongly preferred) is that the machine can be authenticated while not signed in/unattended, to be able to receive GPO updates, etc. Does this leave me doing certificates issued from ISE? If I do PEAP, the machine would need to be logged in to be authenticated, right?

 

Either way, can someone point me to a resource that's less confusing than the admin guide, preferably where the machines aren't getting issued certs from the same CA as ISE?

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

Hi @Greg W

 

On the first point of the customer's decision not to use the same PKI to sign ISE certs and client certs - that's actually not a problem.

The PKI that signs the ISE Admin and EAP certs can be a totally different PKI to the one that creates/issues/distributes the client certs.  ISE just needs to have that CA chain in its Trusted Certs store.  That's it.   And the clients just need to have the ISE EAP cert CA chain in their trust store.

 

If 802.1X is too much hassle then, have you looked at Easy Connect?  I have not done it myself but it looks like an interesting proposition in cases where 802.1X won't fly due to some reason.  it's not as secure as 802.1X but it's a step in the right direction.

 

 

View solution in original post

4 Replies 4

Greg W
Level 1
Level 1
Is MAR maybe the best solution here? The users are already authenticated via smartcards. They primarily want to ensure the security of LAN ports so non-corporate devices get no access to the network.

Arne Bier
VIP
VIP

Hi @Greg W

 

On the first point of the customer's decision not to use the same PKI to sign ISE certs and client certs - that's actually not a problem.

The PKI that signs the ISE Admin and EAP certs can be a totally different PKI to the one that creates/issues/distributes the client certs.  ISE just needs to have that CA chain in its Trusted Certs store.  That's it.   And the clients just need to have the ISE EAP cert CA chain in their trust store.

 

If 802.1X is too much hassle then, have you looked at Easy Connect?  I have not done it myself but it looks like an interesting proposition in cases where 802.1X won't fly due to some reason.  it's not as secure as 802.1X but it's a step in the right direction.

 

 

Arne,

 

Thanks for your response. I'm not sure what certs the clients have on them. Would Windows machines typically have a cert that's already trusted in ISE, or that could be easily/quickly downloaded to the ISE trusted cert store? If so, I could just push the ISE EAP cert CA chain down to them and I think I'd be good to go.

 

Once that is worked out, I think I could just do machine authentication based on their machine account in AD, correct? Then "Network access=wasmachineauthenticated" + their smartcard certificate for user auth.

The ISE system certificate for EAP has to be installed on the nodes that run Policy Services (i.e. the radius work horse).  If this cert is signed by a public CA (Digicert or whatever) then it's a simple job.  The clients will normally have this CA chain installed (Windows/OSX etc).  Nothing to do there.  if the ISE cert was signed by a non-public CA, then you need to install that CA cert chain on the clients.  If that's not possible, then you can also cheat and tell the clients to not trust the Radius Authentication Server (but this is just a hack - not a long term solution - you want to perform this check for better security)

I don't know much about MAR - but I think you will find others on this forum who do.  I have only done very simple EAP-PEAP and EAP-TLS ("smartcard") authentications, where the WLC/Switch always sends the request to ISE when a client roams or connects.