Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
507
Views
3
Helpful
4
Replies

ISE EAP-TLS wireless queries

Go to solution
manvik
Level 3
Level 3

‎02-02-2024 10:34 PM

can someone pls clarify on EAP-TLS authentication in ISE for wireless networks.
1. For EAP-TLS to work is AD certificate store (PKI) mandatory?
2. Can ISE server as PKI when user logs into SSID using AD credentials
3. Is EAP-TLS possible in non-AD joined laptops, users will be logging to SSID using AD credentials
4. Can EAP-TLS done for Azure AD logged in laptops, I saw below link but how to generate user certificates.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html

this link was saying about generating user certificates for ISE EAP-TLS with wireless.
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html#toc-hId--271866854

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎02-10-2024 12:07 AM

> 1. For EAP-TLS to work is AD certificate store (PKI) mandatory?

Absolutely not. ISE can authenticate any certificate simply based on the certificates in the Trusted Certificates store. AD is often the Enterprise CA which may be your confusion. For binary certificate comparison, AD is also required.

> 2. Can ISE server as PKI when user logs into SSID using AD credentials

I do not understand the question. While ISE can be a Certificate Authority, it is meant to do that only for BYOD. it is not meant to be a general purpose CA. All that is needed for wireless auth with AD credentials (username+password) is for the endpoint to trust the ISE certificate.

> 3. Is EAP-TLS possible in non-AD joined laptops, users will be logging to SSID using AD credentials

EAP-TLS has nothing to do with AD unless AD is acting as your CA that provisioned the certificates to the endpoints. EAP-TLS can be used by any endpoint that supports it.  You seem to be confusing certificate authentication (EAP-TLS) with other EAP types that support username+password credentials. EAP-TLS is mutual certificate authentication only.

> 4. Can EAP-TLS done for Azure AD logged in laptops, I saw below link but how to generate user certificates.

ISE can authenticate any endpoint that supports EAP-TLS. Endpoints do not login to Azure AD like regular AD. Azure AD - now Entra ID - is not Active Directory.  You may use Intune to provision certificates to an endpoint for use with ISE.

I recommend you watch

00:00 Intro
02:23 Traditional Active Directory vs Azure Active Directory
05:06 Azure AD Join Types: Registered, Joined, Hybrid Joined
07:00 Intune MDM Enrollment Options
09:08 Windows Autopilot
10:04 Windows Self-Service Out-of-Box Experience (OOBE)
10:42 Azure AD Join & Enrollment
11:48 Azure AD Connect to sync on-premise AD
13:38 Azure AD Join vs Hybrid Join: dsregcmd /status
15:07 Intune Certiificate Connector
15:56 Windows Domain Join & Enrollment (with AAD and Intune)
17:25 Demo: Tour of Azure AD users and groups, UPNs, devices, registration types, Intune (MEM), compliance, Certificate Connector
20:50 Challenge: Transient MACs (dongle/dock)
23:24 Challenge: Random MACs
24:41 ISE 3.1 MDMv3 API and the Globally Unique Identifier (GUID)
26:10 Compliance Check with GUID
27:05 Cisco Field Notice FN-72472: GUID required with Intune after Dec 31, 2022
28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2
38:04 Intune Lab Overview
38:32 Example ISE 3.1 Policies for AD, Azure, and Intune
40:12 Example ISE 3.2 Policies for EAP-TLS with AAD
40:42 Demo: Windows 10 TEAP Authentication and Troubleshooting ⚠Be careful with copy & paste errors due to trailing spaces in Intune policy!
49:33 Demo: MAC Randomization with Surface tablet The live demo failed with a non-compliant status but after the webinar Greg rebooted his surface tablet and it worked perfectly.
53:39 Troubleshooting with ISE external-mdm Log
54:33 Device Enrollment Status with Intune: dsregcmd /status
55:00 References: - Integrate MDM and UEM Servers with Cisco ISE

 

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to manvik

‎02-11-2024 01:04 PM

There are various PKI solutions available, so you would need to identify what PKI solution you intend to use and check the vendor documentation for certificate enrolment options.

ISE is not involved in the certificate enrolment of the endpoint (unless you're talking about the BYOD use case using the ISE Internal CA). For corporate-owned endpoints, the PKI solution would be responsible for enrolling the device and/or user certificate (and trust chain) on the endpoint. As long as the endpoint trusts the server (ISE EAP) certificate and the server trusts the device/user certificate presented, EAP-TLS should work.

If you want to leverage certificate enrolment via Intune (as discussed in my blog) without the use of ADCS, you might check out the SCEPman cloud-based PKI. Microsoft has also recently released their Cloud PKI option, but there is limited documentation and I've see a lot of complaints about how expensive the licensing is.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Aref Alsouqi
VIP
VIP

‎02-03-2024 10:04 AM

When we talk about EAP-TLS we don't refer to any username and password authentication. With EAP-TLS the authentication will be done via certificates. ISE can act as an internal PKI server and issue certificates to the users, however, this is done via configuring the BYOD onboarding flow, where the users will be redirected to a portal, and going through an onboarding process, part of that will be issuing a certificate by ISE to the user machine.

On the other hand, ISE can also be configured to negotiate authentication with the users when they have certificates issued by an external PKI, whether it is your AD or any other third-party solution. This will apply to the case of having non-AD joined clients. From ISE perspective as long as it is configured to trust the client certificates that will be presented to it, it would be good with that.

But please keep in mind that EAP-TLS does mutual authentication which means as much as ISE needs to trust the client certificates, the clients need to trust ISE certificate as well. This means that you would need to import into ISE the client certificates issuer chain and also import into the clients ISE certificate issuer chain.

Regarding conditioning the authentication with the user or the machine groups, whether in Azure or on-prem AD, that depends on how you configure ISE certificate authentication profile that will be tied to the interested authentication rule. In the certificate authentication profile you can select the AD join point that you would've already configured in ISE, in that case ISE will check the presented value in the certificate and cross check it against the AD join to ensure that it does exist. ISE can also do a binary check of the certificates presented by the clients but I think this is not something you would see commonly used.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎02-10-2024 12:07 AM

> 1. For EAP-TLS to work is AD certificate store (PKI) mandatory?

Absolutely not. ISE can authenticate any certificate simply based on the certificates in the Trusted Certificates store. AD is often the Enterprise CA which may be your confusion. For binary certificate comparison, AD is also required.

> 2. Can ISE server as PKI when user logs into SSID using AD credentials

I do not understand the question. While ISE can be a Certificate Authority, it is meant to do that only for BYOD. it is not meant to be a general purpose CA. All that is needed for wireless auth with AD credentials (username+password) is for the endpoint to trust the ISE certificate.

> 3. Is EAP-TLS possible in non-AD joined laptops, users will be logging to SSID using AD credentials

EAP-TLS has nothing to do with AD unless AD is acting as your CA that provisioned the certificates to the endpoints. EAP-TLS can be used by any endpoint that supports it.  You seem to be confusing certificate authentication (EAP-TLS) with other EAP types that support username+password credentials. EAP-TLS is mutual certificate authentication only.

> 4. Can EAP-TLS done for Azure AD logged in laptops, I saw below link but how to generate user certificates.

ISE can authenticate any endpoint that supports EAP-TLS. Endpoints do not login to Azure AD like regular AD. Azure AD - now Entra ID - is not Active Directory.  You may use Intune to provision certificates to an endpoint for use with ISE.

I recommend you watch

00:00 Intro
02:23 Traditional Active Directory vs Azure Active Directory
05:06 Azure AD Join Types: Registered, Joined, Hybrid Joined
07:00 Intune MDM Enrollment Options
09:08 Windows Autopilot
10:04 Windows Self-Service Out-of-Box Experience (OOBE)
10:42 Azure AD Join & Enrollment
11:48 Azure AD Connect to sync on-premise AD
13:38 Azure AD Join vs Hybrid Join: dsregcmd /status
15:07 Intune Certiificate Connector
15:56 Windows Domain Join & Enrollment (with AAD and Intune)
17:25 Demo: Tour of Azure AD users and groups, UPNs, devices, registration types, Intune (MEM), compliance, Certificate Connector
20:50 Challenge: Transient MACs (dongle/dock)
23:24 Challenge: Random MACs
24:41 ISE 3.1 MDMv3 API and the Globally Unique Identifier (GUID)
26:10 Compliance Check with GUID
27:05 Cisco Field Notice FN-72472: GUID required with Intune after Dec 31, 2022
28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2
38:04 Intune Lab Overview
38:32 Example ISE 3.1 Policies for AD, Azure, and Intune
40:12 Example ISE 3.2 Policies for EAP-TLS with AAD
40:42 Demo: Windows 10 TEAP Authentication and Troubleshooting ⚠Be careful with copy & paste errors due to trailing spaces in Intune policy!
49:33 Demo: MAC Randomization with Surface tablet The live demo failed with a non-compliant status but after the webinar Greg rebooted his surface tablet and it worked perfectly.
53:39 Troubleshooting with ISE external-mdm Log
54:33 Device Enrollment Status with Intune: dsregcmd /status
55:00 References: - Integrate MDM and UEM Servers with Cisco ISE

 

Go to solution
manvik
Level 3
Level 3

‎02-10-2024 01:38 AM

Thanks @thomas for the inline answers.

Are there any documentations for - Authenticating Laptops to Wifi using EAP-TLS, credentials will be AD credentials and certificate PKi other than AD certificate server. AD certificate server not available

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to manvik

‎02-11-2024 01:04 PM

There are various PKI solutions available, so you would need to identify what PKI solution you intend to use and check the vendor documentation for certificate enrolment options.

ISE is not involved in the certificate enrolment of the endpoint (unless you're talking about the BYOD use case using the ISE Internal CA). For corporate-owned endpoints, the PKI solution would be responsible for enrolling the device and/or user certificate (and trust chain) on the endpoint. As long as the endpoint trusts the server (ISE EAP) certificate and the server trusts the device/user certificate presented, EAP-TLS should work.

If you want to leverage certificate enrolment via Intune (as discussed in my blog) without the use of ADCS, you might check out the SCEPman cloud-based PKI. Microsoft has also recently released their Cloud PKI option, but there is limited documentation and I've see a lot of complaints about how expensive the licensing is.

0 Helpful
Customers Also Viewed These Support Documents