cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3131
Views
10
Helpful
6
Replies

ISE EAP-TLS Multiples domains single SSID

Bthene
Level 1
Level 1

Lets say you have two domains and they both use certonly-EAP-TLS for authentication.

Domain1 computers, phones etc.

Domain2 computers.

They use the same network infrastructure (same SSID).

All RADIUS request end up at one ISE that has policy for domain1.

The same ISE also have a proxy to another RADIUS-Server assigned for domain2.

 

Is there any smart way to pull request apart to different domains in the Policy Set stage to be able to have one single SSID?

2 Accepted Solutions

Accepted Solutions

Hello @Bthene 

 

The RADIUS User-Name attribute should be populated by the Authenticator (WLAN Controller). It speaks EAP, pulls out the relevant data from the start of the EAP-TLS conversation and packs it into the initial RADIUS Access-Request.

Have a look at a tcpdump of your two use cases, and then make a Policy Set condition where the RADIUS User-Name is one of the deciding factors of which Identity Source you need to use.

 

hope that helps

Arne

View solution in original post

Ah.. you are correct. The certificate matching conditions are not available at the Policy Set level. Since the Proxy Sequence is configured at the Policy Set level from ISE 2.3+, you will need to use a RADIUS: User-Name matching condition similar to this updated guide:

Configuring eduroam on Cisco Identity Services Engine (ISE) 

 

You will need to ensure that your certificate enrollment uses the User Principal Name (UPN) format for the CN so that the client includes the '@<domain fqdn>' suffix in the RADIUS User-Name value.

View solution in original post

6 Replies 6

Greg Gibbs
Cisco Employee
Cisco Employee

This sounds like it might be a similar scenario to an Eduroam use case. Have a look at Configuring eduroam on Cisco Identity Services Engine (ISE) 2.1  as an example.

If you're using PEAP, you would need to ensure the username includes the '@<domain>' suffix. If you're using EAP-TLS and the certificates have different Issuer CAs, you could use a match like "CERTIFICATE·Issuer - Common Name EQUALS <CN>"

I cant pick match ”CERTIFICATE” at that stage, in a policy you can but not in the top level where you define proxy i cant find that choice.

What version of ISE are you using?

Virutal 2.6.X Eval

 

toppolicy.png

Hello @Bthene 

 

The RADIUS User-Name attribute should be populated by the Authenticator (WLAN Controller). It speaks EAP, pulls out the relevant data from the start of the EAP-TLS conversation and packs it into the initial RADIUS Access-Request.

Have a look at a tcpdump of your two use cases, and then make a Policy Set condition where the RADIUS User-Name is one of the deciding factors of which Identity Source you need to use.

 

hope that helps

Arne

Ah.. you are correct. The certificate matching conditions are not available at the Policy Set level. Since the Proxy Sequence is configured at the Policy Set level from ISE 2.3+, you will need to use a RADIUS: User-Name matching condition similar to this updated guide:

Configuring eduroam on Cisco Identity Services Engine (ISE) 

 

You will need to ensure that your certificate enrollment uses the User Principal Name (UPN) format for the CN so that the client includes the '@<domain fqdn>' suffix in the RADIUS User-Name value.