cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

194
Views
0
Helpful
2
Replies

ISE Policy bypass guest redirect using certficates

For my network I want to use a specific certificate to allow browsing on my guest network without the need to go through the guest portal. I have a similar exemption rule in place using a MAB list which works without issue. However, when I add a policy set that looks at the subject cname, I'm not getting any positive results.

 

Is there an issue using certificate based authentication on an open network? If so, is there a way to request an EAP packet, and if they can't authenticate, take them to the redirect?

 

 

 

2 REPLIES 2
Highlighted
Cisco Employee

Re: ISE Policy bypass guest redirect using certficates

It sounds like you're trying to perform certificate authentication for Wireless clients on an Open SSID. If that is the case, then no, this cannot be done. Without 802.1x enabled on the SSID and client, the client would not present a certificate so ISE would never see the cert. Hence, your policy set matching condition would not be met.

If you want to use certificates to authenticate 'guest' users, you would need to use a separate 802.1x SSID (possibly mapped to the same logical interface on the WLC) and work out how the client certificates get provisioned and the supplicant gets configured for 802.1x.

This behaviour would be more similar to the ISE BYOD flow than Guest.

 

Cheers,

Greg

Highlighted
VIP Advisor

Re: ISE Policy bypass guest redirect using certficates

Hi,

You should be able to create authorization rule to match certificate
parameters above the rule of guest flow.

Can you enable endpoint debug on ISE and look that the radius packets
received from NAD to validate the certificate parameters received for
authentication?


**** please remember to rate useful posts