cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1409
Views
5
Helpful
2
Replies

ISE - getting user identity using certificate authentication from machine certificates

cisco2020
Level 1
Level 1

At the moment we are doing EAP-TLS with machine based certificate authentication. As such in ISE radius live logs we see the machine name. There is a requirement to do user based firewall policies on Palo Alto with the radius log information passed from ISE. Since we are using machine certificates, it doesn't seem this will work without switching over to user certificates for EAP-TLS. Is my understanding correct? Or is there a trick to get the user identity information for these type of authentications? I ask because a user will login to windows using their AD account, so even though auth is done with the machine certificate, is there a way for ISE to see the windows login account?

This is what we see in the radius live logs, showing the machine name for identity.

Screen Shot 2020-04-01 at 2.59.33 pm.jpg

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

You are already using 802.1X, but perhaps there is a way to leverage ISE EasyConnect feature (read about it here) to link ISE to AD, and when user has logged in, then a WMI event is sent to ISE (which should also be available as a SYSLOG that your Palo Alto can consume).

Doing Machine + UserAuth using the native Windows Supplicant is also possible - but it's fraught with issues/limitations about switching between wired/wireless, and machines waking up from sleep, MAR cache, etc. All these issues are apparently resolved with TEAP (Tunneled EAP) - it's available in ISE 2.7 and Windows 10 Insider Preview. 

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

You are already using 802.1X, but perhaps there is a way to leverage ISE EasyConnect feature (read about it here) to link ISE to AD, and when user has logged in, then a WMI event is sent to ISE (which should also be available as a SYSLOG that your Palo Alto can consume).

Doing Machine + UserAuth using the native Windows Supplicant is also possible - but it's fraught with issues/limitations about switching between wired/wireless, and machines waking up from sleep, MAR cache, etc. All these issues are apparently resolved with TEAP (Tunneled EAP) - it's available in ISE 2.7 and Windows 10 Insider Preview. 

cisco2020
Level 1
Level 1

Hi @Arne Bier,  I wasn't aware of EasyConnect, but definitely something that would work for us as an alternative. Thanks for the suggestion! Yeah didn't plan on trying with the windows supplicant.