Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3065
Views
75
Helpful
5
Replies

ISE EAP-TLS machine and user AD group check in authorization policy

Go to solution
balmain99
Level 1
Level 1

‎12-10-2020 11:37 AM - edited ‎12-10-2020 11:42 AM

Using ISE EAP-TLS with Machine cert, so my SAN in cert contains computer name.

How can I use the Win username in an authorization policy to see if it belongs to a particular AD group ? 

1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-10-2020 05:12 PM

If you are looking to authenticate both the machine and user at the same time, then here are really two suitable ways to do this, EAP-Chaining with the AnyConnect NAM module as the supplicant, or EAP-TEAP support was introduced in ISE 2.7+, but only windows 10 build 2004+ supports this today.  

If you want to authenticate just the user, then you can use the native supplicant with machine or user configured, then when a user logs in the user cert or username/password can be used. When a user is not logged in, a machine cert is typically used for network access. 

View solution in original post

5 Replies 5

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-10-2020 05:12 PM

If you are looking to authenticate both the machine and user at the same time, then here are really two suitable ways to do this, EAP-Chaining with the AnyConnect NAM module as the supplicant, or EAP-TEAP support was introduced in ISE 2.7+, but only windows 10 build 2004+ supports this today.  

If you want to authenticate just the user, then you can use the native supplicant with machine or user configured, then when a user logs in the user cert or username/password can be used. When a user is not logged in, a machine cert is typically used for network access. 

Go to solution
balmain99
Level 1
Level 1
In response to Damien Miller

‎12-10-2020 06:25 PM

Thanks Damien, so just by using machine cert only there is no way to do what I am asking. If on the other hand I had used user certificate I would be able to split users and give them different access based on an AD group membership using authorization rules.
This should weigh in quite significantly then when choosing between user only or machine only certificate authentication.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to balmain99

‎12-10-2020 08:23 PM

Be aware that there are many caveats around using EAP-TLS with user certificates, especially around how the enrollment happens and lifecycle management. See the following post for more information:

https://community.cisco.com/t5/network-access-control/ise-deployment-eap-tls-machine-or-user-certificates-native/td-p/4094444

 

Go to solution
Andrii Oliinyk
VIP
VIP

‎12-18-2020 10:04 AM

Hi Damien, Greg

i've quite similar task to authC/authZ session with AND'ed conditions of the machine cert is Ok from AD perspective & user's credentials r as well (against AD also).

As i understand there r will be 2 authC sessions: 1st for machine (with cert verification) & 2nd for user (with creds verification), right?

then authZ should happen for each session (let's say machine's authZ profile with AccessAccept & user's authZ with let's say dACL installation). Meaning i wont combine conditions into single rule but will authC/authZ each session separatly. for me it sounds pretty achievable on the ISE.

What i'm thinking about as a real obstacle is on the PC authentication unlikely can be configured in twofold manner namely: enforce both machine cert authentication & authentication by user's AD creds. what do u think?

Customers Also Viewed These Support Documents