Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1828
Views
5
Helpful
3
Replies

ISE EAP-TLS: Is AD user group/PEAP/MSCHAPv2 with machine/PEAP/EAP-TLS (i.e. machine cert) possible?

KelvinT
Level 1
Level 1

‎11-14-2019 10:23 AM

ISE 2.4 patch 9. 

Win10 native supplicant

 

Hello,

 

Is it possible to use PEAP/MSCHAPv2 for AD user group and PEAP/EAP-TLS for machine cert? 

 

Customer want to use machine cert only but want push vlan per AD user group.

 

Is this possible?

0 Helpful
3 Replies 3

jj27
Spotlight
Spotlight

‎11-14-2019 10:55 AM - edited ‎11-14-2019 10:56 AM

Unfortunately, no, the configuration is done at the computer level.

You would have to use the AnyConnect with the NAM installed to be able to utilize different authentication protocols per use-case.  If you want to use the Microsoft supplicant, you'll have to deploy user-based certificates as well and that can be achieved by utilizing Microsoft GPO as I imagine they already have for the machine certificates.

You could utilize computer AD groups to drop them onto different VLANs but that may prove difficult because then it would affect any user logged into the computer. It just depends on how your users operate.

0 Helpful

KelvinT
Level 1
Level 1
In response to jj27

‎07-13-2020 08:32 AM - edited ‎07-13-2020 08:41 AM

Hello,

 

Can you pull AD Group info from AD using peap outer/eap-tls inner configuration on window native supplicant and ISE authc policy?  I mean cert really only let you know if the device and/or user are corporate.

 

So unless the cert have the AD UG in the SAN or CN it isn't possible for is to pull that info formed right? 

 

If there is what's the authz policy condition?

 

Thanks

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to KelvinT

‎07-13-2020 04:47 PM - edited ‎07-13-2020 04:47 PM

I'm not quite sure if I completely understand the question or the reason for using PEAP(EAP-TLS) over just straight EAP-TLS.

ISE does not check AD Group membership of the User or Computer credential presented by the supplicant during Authentication, but it is common to configure a Certificate Authentication Profile that specifies AD as the Identity Store, configure an Identity Source Sequence that includes that CAP, and use that ISS to as the identity source in the AuthC Policy. When doing this, ISE will check the credential presented in the certificate to verify that it is a valid User/Computer account in AD as part of the Authentication.

You would then use an AuthZ Policy that includes a matching condition for a specified AD Group (Domain Users, Domain Computers, or something more specific if required).

Customers Also Viewed These Support Documents