Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1409
Views
5
Helpful
2
Replies

ISE - getting user identity using certificate authentication from machine certificates

Go to solution
cisco2020
Level 1
Level 1

‎04-29-2020 08:49 AM

At the moment we are doing EAP-TLS with machine based certificate authentication. As such in ISE radius live logs we see the machine name. There is a requirement to do user based firewall policies on Palo Alto with the radius log information passed from ISE. Since we are using machine certificates, it doesn't seem this will work without switching over to user certificates for EAP-TLS. Is my understanding correct? Or is there a trick to get the user identity information for these type of authentications? I ask because a user will login to windows using their AD account, so even though auth is done with the machine certificate, is there a way for ISE to see the windows login account?

This is what we see in the radius live logs, showing the machine name for identity.

Screen Shot 2020-04-01 at 2.59.33 pm.jpg

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-29-2020 03:36 PM

You are already using 802.1X, but perhaps there is a way to leverage ISE EasyConnect feature (read about it here) to link ISE to AD, and when user has logged in, then a WMI event is sent to ISE (which should also be available as a SYSLOG that your Palo Alto can consume).

Doing Machine + UserAuth using the native Windows Supplicant is also possible - but it's fraught with issues/limitations about switching between wired/wireless, and machines waking up from sleep, MAR cache, etc. All these issues are apparently resolved with TEAP (Tunneled EAP) - it's available in ISE 2.7 and Windows 10 Insider Preview. 

View solution in original post

2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎04-29-2020 03:36 PM

You are already using 802.1X, but perhaps there is a way to leverage ISE EasyConnect feature (read about it here) to link ISE to AD, and when user has logged in, then a WMI event is sent to ISE (which should also be available as a SYSLOG that your Palo Alto can consume).

Doing Machine + UserAuth using the native Windows Supplicant is also possible - but it's fraught with issues/limitations about switching between wired/wireless, and machines waking up from sleep, MAR cache, etc. All these issues are apparently resolved with TEAP (Tunneled EAP) - it's available in ISE 2.7 and Windows 10 Insider Preview. 

Go to solution
cisco2020
Level 1
Level 1

‎04-29-2020 10:33 PM

Hi @Arne Bier,  I wasn't aware of EasyConnect, but definitely something that would work for us as an alternative. Thanks for the suggestion! Yeah didn't plan on trying with the windows supplicant.

0 Helpful
Customers Also Viewed These Support Documents