Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
1
Replies

ISE MACHINE AUTHENTICATION

IT_Data_CorporateNet
Level 1
Level 1

‎02-19-2019 05:06 AM - edited ‎03-11-2019 01:56 AM

Hi,

I want to perform 802.1x user authentication together with Machine Authentication using Client Certificates. The problem is with Machines that are not in AD. Our policy allow users to bring their own devices as long as they comply to our posture policies. They can have full network access. How do I use certificates to authenticate non domain computers? User authentication will continue to be AD credentials even for non AD computers. We have our internal CA server that we use to generate manually client certificates for these non domain computers.

 

Regards,

Stanslaus.

0 Helpful
1 Reply 1

bern81
Level 1
Level 1

‎02-19-2019 05:17 AM - edited ‎02-19-2019 05:17 AM

Hi,

 

For non-Domain devices, you can create a Certificate Authentication Profile (CAP) that points to lets say the Subject CN field but leave

the identity Store empty (like this it doesn't fetch an AD to see if the computer exist in one of its groups).

 

Then in the authentication Policy you can create a rule like this:

- If Certificate issuer common name = your CA cert CN   the use the CAP created above.

Of course you can do many combination in the Authentication policy to be more granular.

 

I hope this helped.

 

Please rate

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents