Solved: ISE - Wireless Certificate Authentication with AD

smil3r050 · ‎12-04-2018

Hello,

I have looked at various guides and can't seem to find any guides that fits (or even that I can change to suit my needs) what I require from ISE. I know ISE is very flexible but I am still struggling to see if it is possible...

I have a requirement to have a wireless SSID configured, which requires a certificate to be present on a client PC to authenticate. So it would go something like this:

To successfully authenticate, you must have the certificate & provide correct AD credentials.

To successfully be authorized, you must be a member of a particular AD security group.

I've managed to configure the whole system fine, except for the certificate check. Even when I think I've set it up correctly, I am still able to connect to the wireless network from a device that does not contain the certificate.

My authentication policy matches the WLC IP address, the SSID & the network access type and has a result which points to a 'Identity Source Sequence'. This is configured for certificate authentication and points to a CAP.

The Windows client has the certificate installed, the 'authentication' settings on the wireless network have been configured to use PEAP & certificate etc.

If I check the RADIUS live logs after attempting to connect, it matches the correct authentication rule and if I leave the PEAP settings on the Windows client, it will connect. If I disable the PEAP settings on the Windows client and attempt to connect, I get a certificate warning but if I click 'accept' then it will let me connect anyway! What am I missing here to force it so that without the certificate, you fail authentication...?

Surendra · ‎12-05-2018

I am assuming that you have a certificate issued for the machine and your requirement is to check this certificate along with the credentials provided by the user.

Based on the assumption above, with the Windows Native Supplicant, you simply cannot achieve this because you cannot define separate methods for machine and user authentication using windows native supplicant. However, if you use AnyConnect Network Access Manager, you can achieve this pretty easily.

If you are talking about having to check user certificate and the user credentials at the same time, it simply is not possible with any supplicant.

View solution in original post

Jason Kunst · ‎12-07-2018

If you need to do machine and user then you can rely upon perhaps machine cert and then redirecting users 1x a day to a webauth portal? Perhaps using SAML SSO?

View solution in original post

ognyan.totev · ‎12-04-2018

Hi, you can change peap to smart card or certificate.One more thing are you using user certificate or machine or both.In my deployment i disable peap ms in allow protocols and allow only eap-tls. In that case only machine with valid certificate can move to authorization.

smil3r050 · ‎12-05-2018

Hi,

Thanks for the reply.

If I disable PEAP / MSCHAP in Allowed Protocols, will that still allow me to provide an AD username & password, as well as the cert for authentication?

Thanks!

ognyan.totev · ‎12-05-2018

No it will not ,thats why i ask you what you use . In my deployment i use Machine certificates and i not use AD username and passwords .

Jason Kunst · ‎12-05-2018

What is your example of using ad username password and certs?

Are you wanting to do machine cert and then user creds

Jason Kunst · ‎12-05-2018

In your authorization rule you can say if eap-tls then permit access. Have you tried that?

Example of such rule could be seen in byod guide

https://community.cisco.com/t5/security-documents/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

Surendra · ‎12-05-2018

I am assuming that you have a certificate issued for the machine and your requirement is to check this certificate along with the credentials provided by the user.

Based on the assumption above, with the Windows Native Supplicant, you simply cannot achieve this because you cannot define separate methods for machine and user authentication using windows native supplicant. However, if you use AnyConnect Network Access Manager, you can achieve this pretty easily.

If you are talking about having to check user certificate and the user credentials at the same time, it simply is not possible with any supplicant.

smil3r050 · ‎12-05-2018

@Surendra wrote:
I am assuming that you have a certificate issued for the machine and your requirement is to check this certificate along with the credentials provided by the user.

Based on the assumption above, with the Windows Native Supplicant, you simply cannot achieve this because you cannot define separate methods for machine and user authentication using windows native supplicant. However, if you use AnyConnect Network Access Manager, you can achieve this pretty easily.

If you are talking about having to check user certificate and the user credentials at the same time, it simply is not possible with any supplicant.

Thanks very much for your reply - this is the requirement given to me, however it looks as though I'm going to have to explain that it's not possible! :)

Jason Kunst · ‎12-07-2018

If you need to do machine and user then you can rely upon perhaps machine cert and then redirecting users 1x a day to a webauth portal? Perhaps using SAML SSO?