Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2351
Views
20
Helpful
15
Replies

Issues in PEAP Authentication--Cisco ISE

Go to solution
afsal abdul gafoor
Level 1
Level 1

‎07-25-2018 04:30 AM - edited ‎09-10-2018 04:42 AM

Dear Community,

 

We are facing issues in the below setup.

                                             PEAP

clients--} WLC ---Cisco ISE---AD

                                            MSCHAPv2

 

 

We have used Private CA certificates to all our local machines and its getting authenticated using validate certificate options in windows property. In this scenario, if users trying there on BYOD devices also with domain account , its getting authenticated.

 

Kindly help us how to get rid of that ,and our requirement is to achieve windows/AD based authentication with certificate.

Preview file
132 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alex Pfeil
Level 7
Level 7
In response to Alex Pfeil

‎07-25-2018 07:22 AM

2018-07-25 10_20_43-Identity Services Engine - Internet Explorer.png

 

I was thinking about the issue you have and you probably are not requiring a certificate in the authentication policy. Create a library condition which matches the certificate, and then add that to the policy. Then, a certificate will be required. 

 

Thanks,

Alex

 

 

View solution in original post

15 Replies 15

Go to solution
ognyan.totev
Level 5
Level 5

‎07-25-2018 04:41 AM

If you use different certificate for BYOD they will never be authenticated .

But i assume you use same certificate for BYOD too .

In mine deployment i dont have BYOD but all machines in domain are authenticated by certificate .

Go to solution
afsal abdul gafoor
Level 1
Level 1
In response to ognyan.totev

‎07-25-2018 04:49 AM

Ognyan,

Thank you for your comments. But please note certificates are deployed in machines only and not through BYOD.

 

 

We are using MS PEAP (MS CHAP v2) with Validate Client certificate on the laptop. I want to restrict only the clients with cert installed to connect to the SSID. What should be my ISE Authentication and Authorization policies?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to afsal abdul gafoor

‎07-25-2018 05:02 AM

Seems to me you should configure your valid machines to use EAP-TLS certificate based authentication and not to use PEAP

Under your authentication rules only allow EAP-TLS or under authorization

Go to solution
afsal abdul gafoor
Level 1
Level 1
In response to Jason Kunst

‎07-25-2018 05:18 AM

We can use only PEAP with MSCHAP-v2, as the we are not authorized change the global SSID requirement.

Keeping this setting ,  how we can restrict the clients who don't have certificates.

 

Our setting is like this.

 

 

Preview file
143 KB
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to afsal abdul gafoor

‎07-25-2018 05:32 AM

You can do this in ISE

Authorization rule
If SSIDNAME and EAP-TLS then permit access

Otherwise if SSIDNAME and PEAP then redirect them to HTML page or deny access

It’s still not clear exactly what you’re trying to accomplish if you can’t just restrict SSID but don’t allow anyone without a certificate to use it

There are some examples in the BYOD guide mentioned before of similar rule configurations and screenshots
0 Helpful

Go to solution
afsal abdul gafoor
Level 1
Level 1
In response to Jason Kunst

‎07-25-2018 05:58 AM

Jason ,

Thank you for  your comments. Please note this

We are not allowed to change the authentication requirement as the SSID is for global users ,and it has to connect to their laptops provided the required certificate is installed. The hindrance is if any employee uses his domain credential to his personal device, it will connect even though client doesn't have certificate.

 

At this moment we cannot use EAP-TLS , but only on PEAP with certificates.

 

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to afsal abdul gafoor

‎07-25-2018 05:32 AM

What shown in your doc is the client-side settings and the server certificate validation is up to the clients.


To limit what clients to authorized on, please see Slides 343 ~ 379 of Reference Presentation from Advanced ISE Services, Tips and Tricks - BRKSEC-3697
Event:2018 Orlando
Craig Hyps, Prinicipal Technical Marketing Engineer

Go to solution
afsal abdul gafoor
Level 1
Level 1
In response to ognyan.totev

‎07-25-2018 05:28 AM

Ognyan,
have you tried connecting BYOD/personal devices to network using domain accounts and ignoring the security prompt in your deployment?
0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7

‎07-25-2018 05:01 AM

All you must do is remove username and password as a valid authentication. If you have some groups that you want to authenticate, use Active Directory groups and only allow those groups to get on the network. To remove username and password to Active Directory, you have a policy in place. You can simply go to that policy and change it to deny, or remove it.
Thanks,
Alex
0 Helpful

Go to solution
afsal abdul gafoor
Level 1
Level 1
In response to Alex Pfeil

‎07-25-2018 05:25 AM - edited ‎07-25-2018 05:26 AM

Hello Alex,

 

Thank you for your comments, please clarify how to remove specifically for mobile accounts if we are using AD based authentication.

 

We dont want machines without certificates to connect to the network,currently there is only security prompting happening ( if users give domain account in their mobile), where as it should work normally if using laptops with certificates.

0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7
In response to afsal abdul gafoor

‎07-25-2018 06:04 AM

1. Go to Policy, Policy Sets.
2. Enter the policy that you are using for authentication, click on the > sign.
3. Look at the authentication policy.
4. If there is not a username and password authentication policy, you may have a default policy setup that you need to look at.
0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7
In response to Alex Pfeil

‎07-25-2018 07:22 AM

2018-07-25 10_20_43-Identity Services Engine - Internet Explorer.png

 

I was thinking about the issue you have and you probably are not requiring a certificate in the authentication policy. Create a library condition which matches the certificate, and then add that to the policy. Then, a certificate will be required. 

 

Thanks,

Alex

 

 

Go to solution
Arne Bier
VIP
VIP
In response to Alex Pfeil

‎07-25-2018 03:00 PM

Maybe I missed something, but the way to prevent any Supplicant from succeeding in trying the EAP-TLS is method, is for ISE not to offer it in the TLS negotiation. 

If a supplicant requests EAP-TLS and ISE isn't able to offer it, then the conversation ends there.

This is done via the Allowed Protocols section in Authentication.  Create a new Allowed Protocols profile and then only allow EAP-PEAP.

 

PEAP only.PNG

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents