ISE Policy bypass guest redirect using certficates

WilliamDyer22939 · ‎02-26-2020

For my network I want to use a specific certificate to allow browsing on my guest network without the need to go through the guest portal. I have a similar exemption rule in place using a MAB list which works without issue. However, when I add a policy set that looks at the subject cname, I'm not getting any positive results.

Is there an issue using certificate based authentication on an open network? If so, is there a way to request an EAP packet, and if they can't authenticate, take them to the redirect?

Greg Gibbs · ‎02-26-2020

It sounds like you're trying to perform certificate authentication for Wireless clients on an Open SSID. If that is the case, then no, this cannot be done. Without 802.1x enabled on the SSID and client, the client would not present a certificate so ISE would never see the cert. Hence, your policy set matching condition would not be met.

If you want to use certificates to authenticate 'guest' users, you would need to use a separate 802.1x SSID (possibly mapped to the same logical interface on the WLC) and work out how the client certificates get provisioned and the supplicant gets configured for 802.1x.

This behaviour would be more similar to the ISE BYOD flow than Guest.

Cheers,

Greg

Mohammed al Baqari · ‎02-26-2020

Hi,

You should be able to create authorization rule to match certificate
parameters above the rule of guest flow.

Can you enable endpoint debug on ISE and look that the radius packets
received from NAD to validate the certificate parameters received for
authentication?

**** please remember to rate useful posts