Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3290
Views
1
Helpful
4
Replies

ISE with PEAP MS-CHAPv2, force windows 10 verify server certificate

Go to solution
Juan Marilaf Millahual
Level 1
Level 1

‎02-01-2021 06:29 AM

Hi

I have Cisco ISE (2.7 patch2) and a need deploy PEAP with MS-CHAPv2 with verify certificate server. I need force what de Microsoft Windows 10 supplicant verify certificate server. The current deploy allow supplicant windows 10 join to the network without verificate server certificate. How I can force in Cisco ISE for what the supplicant windows 10 can force validate Certificate server for allow access to the network and no join to the network if the supplicant no verify certificate server??

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP
In response to Juan Marilaf Millahual

‎02-01-2021 05:06 PM - edited ‎02-01-2021 05:08 PM

Ahh I understand the question now.  This is 100% a client side verification and, as I understand, ISE has no visibility into this.  The only option I could think of is to use the AnyConnect Network Access Module (NAM) as the supplicant instead.  Then use ISE Posture to enforce the download of the appropriate XML config file which would then enforce the certificate validation check.  

View solution in original post

4 Replies 4

Go to solution
Marcelo Morais
VIP
VIP

‎02-01-2021 07:02 AM

Hi @Juan Marilaf Millahual 

 please take a look at: ISE Secure Wired Access Prescriptive Deployment Guide - search for Configuring Microsoft Windows 10 for Wired 802.1X.

 

Hope this helps !!!

0 Helpful

Go to solution
ahollifield
VIP
VIP

‎02-01-2021 12:41 PM

Top check box in the screenshot below.  Then also select the issuing CA in the list.  

 

Capture.PNG

0 Helpful

Go to solution
Juan Marilaf Millahual
Level 1
Level 1
In response to ahollifield

‎02-01-2021 03:48 PM

Hi

This step was done, the question is how I can avoid supplicant with out option “verify the server´s identity….” Join to the network through Cisco ISE uthentication or authorization policy?

I don’t want windows 10 supplicant with out the option “verifiy the server´s identity…” can join the network. I want only supplicant with option “ verify the server´s identity by validating the certificate” enable and select the correct certificate root CA, its is my goal!!

Today disable or enable the option “verify the servers indentity identity by validating the certificate ”can join to the network. How can I in cisco ISE configuring authentication or authorization for avoid this situation?
0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to Juan Marilaf Millahual

‎02-01-2021 05:06 PM - edited ‎02-01-2021 05:08 PM

Ahh I understand the question now.  This is 100% a client side verification and, as I understand, ISE has no visibility into this.  The only option I could think of is to use the AnyConnect Network Access Module (NAM) as the supplicant instead.  Then use ISE Posture to enforce the download of the appropriate XML config file which would then enforce the certificate validation check.  

Customers Also Viewed These Support Documents