cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3290
Views
1
Helpful
4
Replies

ISE with PEAP MS-CHAPv2, force windows 10 verify server certificate

Hi

I have Cisco ISE (2.7 patch2) and a need deploy PEAP with MS-CHAPv2 with verify certificate server. I need force what de Microsoft Windows 10 supplicant verify certificate server. The current deploy allow supplicant windows 10 join to the network without verificate server certificate. How I can force in Cisco ISE for what the supplicant windows 10 can force validate Certificate server for allow access to the network and no join to the network if the supplicant no verify certificate server??

1 Accepted Solution

Accepted Solutions

Ahh I understand the question now.  This is 100% a client side verification and, as I understand, ISE has no visibility into this.  The only option I could think of is to use the AnyConnect Network Access Module (NAM) as the supplicant instead.  Then use ISE Posture to enforce the download of the appropriate XML config file which would then enforce the certificate validation check.  

View solution in original post

4 Replies 4

Hi @Juan Marilaf Millahual 

 please take a look at: ISE Secure Wired Access Prescriptive Deployment Guide - search for Configuring Microsoft Windows 10 for Wired 802.1X.

 

Hope this helps !!!

Top check box in the screenshot below.  Then also select the issuing CA in the list.  

 

Capture.PNG

Hi

This step was done, the question is how I can avoid supplicant with out option “verify the server´s identity….” Join to the network through Cisco ISE uthentication or authorization policy?

I don’t want windows 10 supplicant with out the option “verifiy the server´s identity…” can join the network. I want only supplicant with option “ verify the server´s identity by validating the certificate” enable and select the correct certificate root CA, its is my goal!!

Today disable or enable the option “verify the servers indentity identity by validating the certificate ”can join to the network. How can I in cisco ISE configuring authentication or authorization for avoid this situation?

Ahh I understand the question now.  This is 100% a client side verification and, as I understand, ISE has no visibility into this.  The only option I could think of is to use the AnyConnect Network Access Module (NAM) as the supplicant instead.  Then use ISE Posture to enforce the download of the appropriate XML config file which would then enforce the certificate validation check.