cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1041
Views
3
Helpful
7
Replies

ISE EAP-TLS wireless queries

manvik
Level 3
Level 3

can someone pls clarify on EAP-TLS authentication in ISE for wireless networks.
1. For EAP-TLS to work is AD certificate store (PKI) mandatory?
2. Can ISE server as PKI when user logs into SSID using AD credentials
3. Is EAP-TLS possible in non-AD joined laptops, users will be logging to SSID using AD credentials
4. Can EAP-TLS done for Azure AD logged in laptops, I saw below link but how to generate user certificates.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html

this link was saying about generating user certificates for ISE EAP-TLS with wireless.
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html#toc-hId--271866854

2 Accepted Solutions

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

> 1. For EAP-TLS to work is AD certificate store (PKI) mandatory?

Absolutely not. ISE can authenticate any certificate simply based on the certificates in the Trusted Certificates store. AD is often the Enterprise CA which may be your confusion. For binary certificate comparison, AD is also required.

> 2. Can ISE server as PKI when user logs into SSID using AD credentials

I do not understand the question. While ISE can be a Certificate Authority, it is meant to do that only for BYOD. it is not meant to be a general purpose CA. All that is needed for wireless auth with AD credentials (username+password) is for the endpoint to trust the ISE certificate.

> 3. Is EAP-TLS possible in non-AD joined laptops, users will be logging to SSID using AD credentials

EAP-TLS has nothing to do with AD unless AD is acting as your CA that provisioned the certificates to the endpoints. EAP-TLS can be used by any endpoint that supports it.  You seem to be confusing certificate authentication (EAP-TLS) with other EAP types that support username+password credentials. EAP-TLS is mutual certificate authentication only.

> 4. Can EAP-TLS done for Azure AD logged in laptops, I saw below link but how to generate user certificates.

ISE can authenticate any endpoint that supports EAP-TLS. Endpoints do not login to Azure AD like regular AD. Azure AD - now Entra ID - is not Active Directory.  You may use Intune to provision certificates to an endpoint for use with ISE.

I recommend you watch

00:00 Intro
02:23 Traditional Active Directory vs Azure Active Directory
05:06 Azure AD Join Types: Registered, Joined, Hybrid Joined
07:00 Intune MDM Enrollment Options
09:08 Windows Autopilot
10:04 Windows Self-Service Out-of-Box Experience (OOBE)
10:42 Azure AD Join & Enrollment
11:48 Azure AD Connect to sync on-premise AD
13:38 Azure AD Join vs Hybrid Join: dsregcmd /status
15:07 Intune Certiificate Connector
15:56 Windows Domain Join & Enrollment (with AAD and Intune)
17:25 Demo: Tour of Azure AD users and groups, UPNs, devices, registration types, Intune (MEM), compliance, Certificate Connector
20:50 Challenge: Transient MACs (dongle/dock)
23:24 Challenge: Random MACs
24:41 ISE 3.1 MDMv3 API and the Globally Unique Identifier (GUID)
26:10 Compliance Check with GUID
27:05 Cisco Field Notice FN-72472: GUID required with Intune after Dec 31, 2022
28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2
38:04 Intune Lab Overview
38:32 Example ISE 3.1 Policies for AD, Azure, and Intune
40:12 Example ISE 3.2 Policies for EAP-TLS with AAD
40:42 Demo: Windows 10 TEAP Authentication and Troubleshooting ⚠Be careful with copy & paste errors due to trailing spaces in Intune policy!
49:33 Demo: MAC Randomization with Surface tablet The live demo failed with a non-compliant status but after the webinar Greg rebooted his surface tablet and it worked perfectly.
53:39 Troubleshooting with ISE external-mdm Log
54:33 Device Enrollment Status with Intune: dsregcmd /status
55:00 References: - Integrate MDM and UEM Servers with Cisco ISE

 

View solution in original post

There are various PKI solutions available, so you would need to identify what PKI solution you intend to use and check the vendor documentation for certificate enrolment options.

ISE is not involved in the certificate enrolment of the endpoint (unless you're talking about the BYOD use case using the ISE Internal CA). For corporate-owned endpoints, the PKI solution would be responsible for enrolling the device and/or user certificate (and trust chain) on the endpoint. As long as the endpoint trusts the server (ISE EAP) certificate and the server trusts the device/user certificate presented, EAP-TLS should work.

If you want to leverage certificate enrolment via Intune (as discussed in my blog) without the use of ADCS, you might check out the SCEPman cloud-based PKI. Microsoft has also recently released their Cloud PKI option, but there is limited documentation and I've see a lot of complaints about how expensive the licensing is.

View solution in original post

7 Replies 7

When we talk about EAP-TLS we don't refer to any username and password authentication. With EAP-TLS the authentication will be done via certificates. ISE can act as an internal PKI server and issue certificates to the users, however, this is done via configuring the BYOD onboarding flow, where the users will be redirected to a portal, and going through an onboarding process, part of that will be issuing a certificate by ISE to the user machine.

On the other hand, ISE can also be configured to negotiate authentication with the users when they have certificates issued by an external PKI, whether it is your AD or any other third-party solution. This will apply to the case of having non-AD joined clients. From ISE perspective as long as it is configured to trust the client certificates that will be presented to it, it would be good with that.

But please keep in mind that EAP-TLS does mutual authentication which means as much as ISE needs to trust the client certificates, the clients need to trust ISE certificate as well. This means that you would need to import into ISE the client certificates issuer chain and also import into the clients ISE certificate issuer chain.

Regarding conditioning the authentication with the user or the machine groups, whether in Azure or on-prem AD, that depends on how you configure ISE certificate authentication profile that will be tied to the interested authentication rule. In the certificate authentication profile you can select the AD join point that you would've already configured in ISE, in that case ISE will check the presented value in the certificate and cross check it against the AD join to ensure that it does exist. ISE can also do a binary check of the certificates presented by the clients but I think this is not something you would see commonly used.

thomas
Cisco Employee
Cisco Employee

> 1. For EAP-TLS to work is AD certificate store (PKI) mandatory?

Absolutely not. ISE can authenticate any certificate simply based on the certificates in the Trusted Certificates store. AD is often the Enterprise CA which may be your confusion. For binary certificate comparison, AD is also required.

> 2. Can ISE server as PKI when user logs into SSID using AD credentials

I do not understand the question. While ISE can be a Certificate Authority, it is meant to do that only for BYOD. it is not meant to be a general purpose CA. All that is needed for wireless auth with AD credentials (username+password) is for the endpoint to trust the ISE certificate.

> 3. Is EAP-TLS possible in non-AD joined laptops, users will be logging to SSID using AD credentials

EAP-TLS has nothing to do with AD unless AD is acting as your CA that provisioned the certificates to the endpoints. EAP-TLS can be used by any endpoint that supports it.  You seem to be confusing certificate authentication (EAP-TLS) with other EAP types that support username+password credentials. EAP-TLS is mutual certificate authentication only.

> 4. Can EAP-TLS done for Azure AD logged in laptops, I saw below link but how to generate user certificates.

ISE can authenticate any endpoint that supports EAP-TLS. Endpoints do not login to Azure AD like regular AD. Azure AD - now Entra ID - is not Active Directory.  You may use Intune to provision certificates to an endpoint for use with ISE.

I recommend you watch

00:00 Intro
02:23 Traditional Active Directory vs Azure Active Directory
05:06 Azure AD Join Types: Registered, Joined, Hybrid Joined
07:00 Intune MDM Enrollment Options
09:08 Windows Autopilot
10:04 Windows Self-Service Out-of-Box Experience (OOBE)
10:42 Azure AD Join & Enrollment
11:48 Azure AD Connect to sync on-premise AD
13:38 Azure AD Join vs Hybrid Join: dsregcmd /status
15:07 Intune Certiificate Connector
15:56 Windows Domain Join & Enrollment (with AAD and Intune)
17:25 Demo: Tour of Azure AD users and groups, UPNs, devices, registration types, Intune (MEM), compliance, Certificate Connector
20:50 Challenge: Transient MACs (dongle/dock)
23:24 Challenge: Random MACs
24:41 ISE 3.1 MDMv3 API and the Globally Unique Identifier (GUID)
26:10 Compliance Check with GUID
27:05 Cisco Field Notice FN-72472: GUID required with Intune after Dec 31, 2022
28:25 EAP-TLS Authentication to AD : computer or user) (traditional 802.1X with AD)
30:06 TEAP(EAP-TLS) Authentication in ISE 2.7+ for computer+user (EAP-Chaining)
33:33 EAP-TLS Authentication with Hybrid AD+Azure Compliance
34:44 EAP-TLS Authentication with Azure Intune Compliance
35:29 EAP-TTLS+PAP Authentication in ISE 3.0 (no GUID for Intune)
36:31 EAP-TLS Authentication with Azure AD Authorization with Intune Compliance in ISE 3.2
38:04 Intune Lab Overview
38:32 Example ISE 3.1 Policies for AD, Azure, and Intune
40:12 Example ISE 3.2 Policies for EAP-TLS with AAD
40:42 Demo: Windows 10 TEAP Authentication and Troubleshooting ⚠Be careful with copy & paste errors due to trailing spaces in Intune policy!
49:33 Demo: MAC Randomization with Surface tablet The live demo failed with a non-compliant status but after the webinar Greg rebooted his surface tablet and it worked perfectly.
53:39 Troubleshooting with ISE external-mdm Log
54:33 Device Enrollment Status with Intune: dsregcmd /status
55:00 References: - Integrate MDM and UEM Servers with Cisco ISE

 

manvik
Level 3
Level 3

Thanks @thomas for the inline answers.

Are there any documentations for - Authenticating Laptops to Wifi using EAP-TLS, credentials will be AD credentials and certificate PKi other than AD certificate server. AD certificate server not available

There are various PKI solutions available, so you would need to identify what PKI solution you intend to use and check the vendor documentation for certificate enrolment options.

ISE is not involved in the certificate enrolment of the endpoint (unless you're talking about the BYOD use case using the ISE Internal CA). For corporate-owned endpoints, the PKI solution would be responsible for enrolling the device and/or user certificate (and trust chain) on the endpoint. As long as the endpoint trusts the server (ISE EAP) certificate and the server trusts the device/user certificate presented, EAP-TLS should work.

If you want to leverage certificate enrolment via Intune (as discussed in my blog) without the use of ADCS, you might check out the SCEPman cloud-based PKI. Microsoft has also recently released their Cloud PKI option, but there is limited documentation and I've see a lot of complaints about how expensive the licensing is.

Hello Greg,

can you please provides the details on what configuration/steps would be required on ISE to use SCEPMan CA to authenticate user via ISE.

From the ISE perspective, SCEPman would be no different than using any other CA.

Configure EAP-TLS Authentication with ISE 

Our On-prem CA EAP-TLS is already working.

Now they are moving CA service to cloud SCEPMan, challenge here is SCEPMan team is saying there is no need to have ISE CSR signed by SCEPMan. where as for onprem CA we had ISE CSR signed by CA to form trust between client - ISE - CA for EAP-TLS.

Can you help in understanding how EAP-TLS will work if ISE EAP certificate is not signed by SCEPMan. ?