cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

208
Views
0
Helpful
1
Replies
Highlighted

ISE MACHINE AUTHENTICATION

Hi,

I want to perform 802.1x user authentication together with Machine Authentication using Client Certificates. The problem is with Machines that are not in AD. Our policy allow users to bring their own devices as long as they comply to our posture policies. They can have full network access. How do I use certificates to authenticate non domain computers? User authentication will continue to be AD credentials even for non AD computers. We have our internal CA server that we use to generate manually client certificates for these non domain computers.

 

Regards,

Stanslaus.

1 REPLY 1
Highlighted
Beginner

Re: ISE MACHINE AUTHENTICATION

Hi,

 

For non-Domain devices, you can create a Certificate Authentication Profile (CAP) that points to lets say the Subject CN field but leave

the identity Store empty (like this it doesn't fetch an AD to see if the computer exist in one of its groups).

 

Then in the authentication Policy you can create a rule like this:

- If Certificate issuer common name = your CA cert CN   the use the CAP created above.

Of course you can do many combination in the Authentication policy to be more granular.

 

I hope this helped.

 

Please rate