Solved: Re: ISE Issue

rshehov · ‎10-25-2018

Hi team,

We get our laptops built at Dell and then shipped directly to the user. The computer will have a computer certificate issued through group policy when it is domain joined but it won't have a user certificate as the user has never logged on. There is an requirement that the user might never log on initially on a wired connection. Our preferred choice of authentication is EAP-TLS which connects and authenticates on wireless flawlessly but we have an issue when it comes to initial user authentication over wireless, as there is no user certificate to build the EAP tunnel.

We use Windows Single sign on which allows enough time for the users details to be pulled from AD but then the network drops to reauthenticate on the user connection before group policy gets to pull the user certificate from our internal PKI.

I have tried having a second SSID restricted to Active Directory authentication only using MSHAPv2, for the user to fall back onto after failing on the EAP-TLS network, so that the user account pulls a certificate but…. There is no way to kick off group policy without a manual script/intervention after connecting, as it has already failed on the initial EAP-TLS connection attempt.

Do we have a solution to the issue below without customer buying AnyConnect for every single laptop ?

Many thanks for your input in advance.

Ross

howon · ‎10-25-2018

Have you considered having different GPO for the PC. Not sure if the PC is joined to the domain from Dell or your IT, but have it join the initial OU with GPO which forces machine only authentication for the SSID. Once user receives the PC and logs on and gets the certificate you can script to move the PC to proper OU with different GPO which forces user and machine authentication for the SSID. If logon scrip is not feasible you could simply have automated script on AD to move the OU for any PC after 30 days which gives enough time for the end user to login.

Other option may be to have user connect to open/guest SSID, where when employee user logs into open/guest SSID, instead of providing Internet access, redirect the user to a page with simple instructions/script on forcing GPO update while on guest SSID to get the certificate provisioned.

View solution in original post

hslai · ‎10-25-2018

I am no expert on Microsoft products but I remember that the group policy refreshed after an OS reboot so I would recommend that after the user certificates provisioned at the PEAP-MSCHAPv2 wireless connection.

packetplumber9 · ‎10-25-2018

I think there are several good options for tackling this chicken vs egg problem, a people or process fix, and others technical solutions. Personally I think the people process is best but it depends on your organization if it's feasible.

So the "soft" fix I have used in the past is that when new hardware arrives the users log into the machine on the wire in the presence of an IT person for the initial setup. Usually a help desk person is helping them get everything moved to the new computer if they are an existing employee or giving training if they are a new hire so it's not that much of a change, just the IT technician needs to know that the initial logon happens on a wired connection. I've seen it just added to the process document for new asset deployments, or the new hire process checklist.

The technical fixes I have seen quite a few like this one:

https://community.cisco.com/t5/policy-and-access/ise-2-0-eap-tls-user-certificate-auto-enrollment-issue-over-the/td-p/3039266

howon · ‎10-25-2018

Have you considered having different GPO for the PC. Not sure if the PC is joined to the domain from Dell or your IT, but have it join the initial OU with GPO which forces machine only authentication for the SSID. Once user receives the PC and logs on and gets the certificate you can script to move the PC to proper OU with different GPO which forces user and machine authentication for the SSID. If logon scrip is not feasible you could simply have automated script on AD to move the OU for any PC after 30 days which gives enough time for the end user to login.

Other option may be to have user connect to open/guest SSID, where when employee user logs into open/guest SSID, instead of providing Internet access, redirect the user to a page with simple instructions/script on forcing GPO update while on guest SSID to get the certificate provisioned.