Solved: ISE with certificate - without AD

Attila Horvath · ‎11-05-2015

Hi,

We would like to implement the following:

Corporate (not private) Tablet and mobile devices (Ipad, Android) can connect to corporate wireless SSID with certificate installed on it,

but without AD membership, so certificates exist only at PKI server. (of course the auth is based only certificate - TLS)

I know the BYOD is very same, but - as I understand - the final stage, after the CoA is a simple certificate based authentication from AD.

Is it possible to implement it without AD? The certificate provisioning is a Helpdesk task, not user controlled.

TIA

Attila

jan.nielsen · ‎11-06-2015

Sure, as long as your authorization rule doesn't try to match anything like an AD group, you should be fine with EAP-TLS with no AD integration.

View solution in original post

phosawyer · ‎11-10-2015

you have to import the CA as a trusted cert.

When you create your Authz rule you should have some identifying info from that specific cert chain ie.CN ends with "mydomain.com"

Just make sure you correctly setup ISE to go and get the CRL from your CA server otherwise once a device has a valid cert, it's harder to bump them from your network.

View solution in original post

jan.nielsen · ‎11-06-2015

Sure, as long as your authorization rule doesn't try to match anything like an AD group, you should be fine with EAP-TLS with no AD integration.

Attila Horvath · ‎11-08-2015

But how can I make sure that the certificate is valid and offered by a valid CA ?

phosawyer · ‎11-10-2015

you have to import the CA as a trusted cert.

When you create your Authz rule you should have some identifying info from that specific cert chain ie.CN ends with "mydomain.com"

Just make sure you correctly setup ISE to go and get the CRL from your CA server otherwise once a device has a valid cert, it's harder to bump them from your network.