Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3106
Views
10
Helpful
6
Replies

ISE EAP-TLS Multiples domains single SSID

Go to solution
Bthene
Level 1
Level 1

‎08-26-2020 12:43 PM

Lets say you have two domains and they both use certonly-EAP-TLS for authentication.

Domain1 computers, phones etc.

Domain2 computers.

They use the same network infrastructure (same SSID).

All RADIUS request end up at one ISE that has policy for domain1.

The same ISE also have a proxy to another RADIUS-Server assigned for domain2.

 

Is there any smart way to pull request apart to different domains in the Policy Set stage to be able to have one single SSID?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to Bthene

‎08-30-2020 04:29 PM

Hello @Bthene 

 

The RADIUS User-Name attribute should be populated by the Authenticator (WLAN Controller). It speaks EAP, pulls out the relevant data from the start of the EAP-TLS conversation and packs it into the initial RADIUS Access-Request.

Have a look at a tcpdump of your two use cases, and then make a Policy Set condition where the RADIUS User-Name is one of the deciding factors of which Identity Source you need to use.

 

hope that helps

Arne

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Bthene

‎08-30-2020 05:01 PM

Ah.. you are correct. The certificate matching conditions are not available at the Policy Set level. Since the Proxy Sequence is configured at the Policy Set level from ISE 2.3+, you will need to use a RADIUS: User-Name matching condition similar to this updated guide:

Configuring eduroam on Cisco Identity Services Engine (ISE) 

 

You will need to ensure that your certificate enrollment uses the User Principal Name (UPN) format for the CN so that the client includes the '@<domain fqdn>' suffix in the RADIUS User-Name value.

View solution in original post

6 Replies 6

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-26-2020 04:11 PM

This sounds like it might be a similar scenario to an Eduroam use case. Have a look at Configuring eduroam on Cisco Identity Services Engine (ISE) 2.1  as an example.

If you're using PEAP, you would need to ensure the username includes the '@<domain>' suffix. If you're using EAP-TLS and the certificates have different Issuer CAs, you could use a match like "CERTIFICATE·Issuer - Common Name EQUALS <CN>"

0 Helpful

Go to solution
Bthene
Level 1
Level 1
In response to Greg Gibbs

‎08-26-2020 09:57 PM

I cant pick match ”CERTIFICATE” at that stage, in a policy you can but not in the top level where you define proxy i cant find that choice.
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Bthene

‎08-27-2020 04:50 PM

What version of ISE are you using?

0 Helpful

Go to solution
Bthene
Level 1
Level 1
In response to Greg Gibbs

‎08-28-2020 12:49 PM

Virutal 2.6.X Eval

 

toppolicy.png

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Bthene

‎08-30-2020 04:29 PM

Hello @Bthene 

 

The RADIUS User-Name attribute should be populated by the Authenticator (WLAN Controller). It speaks EAP, pulls out the relevant data from the start of the EAP-TLS conversation and packs it into the initial RADIUS Access-Request.

Have a look at a tcpdump of your two use cases, and then make a Policy Set condition where the RADIUS User-Name is one of the deciding factors of which Identity Source you need to use.

 

hope that helps

Arne

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Bthene

‎08-30-2020 05:01 PM

Ah.. you are correct. The certificate matching conditions are not available at the Policy Set level. Since the Proxy Sequence is configured at the Policy Set level from ISE 2.3+, you will need to use a RADIUS: User-Name matching condition similar to this updated guide:

Configuring eduroam on Cisco Identity Services Engine (ISE) 

 

You will need to ensure that your certificate enrollment uses the User Principal Name (UPN) format for the CN so that the client includes the '@<domain fqdn>' suffix in the RADIUS User-Name value.

Customers Also Viewed These Support Documents