Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
280
Views
1
Helpful
6
Replies

Looking for solution for access for workstations not authenticating

dropped_packetz
Level 1
Level 1

‎04-01-2025 02:46 PM

ISE is still a learning thing to me.  We do not have any wireless, only wired.  Our windows workstations use NAM to authenticate with EAP-FAST and EAP-TLS and we also do EAP-Chaining.  Right now, we are always having to take the authentication config off of switchports for our Desktop Support to get into the systems and either fix the Secure Client software or redo certs and then reapply the authentication config and hope they fixed it right and if they didn't, do the process all over.  I know the first two obvious solutions is a limited access dACL which I am looking at now or a limited access vlan with either solution only having access to the necessary servers and services needed to get the workstation in authentication successful status.  Is there any other solutions used to accomplish this?

0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎04-01-2025 11:04 PM

@dropped_packetz

If you main issue is having to reissue certificates, are you Windows GPO's not configured correctly to automatically reissue certificates before expiry?

Which certificate are you using having a problem with machine or user? With EAP Chaining normally you would authorise on both User and Machine authentication passed. If you have a problem with user certificates and therefore users failing to authenticate, you could configure authorisation based on "Network Access EAPChainingResult EQUALS User failed and Machine succeeded" and apply the DACL with restricted access. Or apply the same logic if its the machine certificate with "Network Access EAPChainingResult EQUALS User succeeded and Machine failed".

 

dropped_packetz
Level 1
Level 1
In response to Rob Ingram

‎04-02-2025 06:41 AM - edited ‎04-02-2025 06:49 AM

Truthfully, cert issues is usually only about 10-15% of the reason for the not authenticating, it is usually issues with the NAM needing to be reinstalled.  And I am not sure I have seen an expired cert be an issue as of yet, sometimes there is two certs and sometimes just deleting the valid cert the system has and running gpupdate to get another one fixes it.  Oh, and it seems to almost always be the machine cert that is the issue.  Our desktop support tries to get cute and automate it too much and it hoses up the installation of it a lot.  Moving off NAM to TEAP is my next battle, but would still need this in place anyways, so working on getting this done first.

0 Helpful

ahollifield
VIP
VIP

‎04-02-2025 06:00 AM

Why use NAM at all?  Why not use TEAP?

0 Helpful

dropped_packetz
Level 1
Level 1
In response to ahollifield

‎04-02-2025 06:37 AM

That's my next battle....but regardless, I would still need the limited access dACL in place to address cert issues.

But I am curious as to how many out there that just use ISE for EAP-Chaining/EAP-TLS purposes use TEAP over NAM.  Any fuel I can add to my argument to move to TEAP helps.

0 Helpful

ahollifield
VIP
VIP
In response to dropped_packetz

‎04-02-2025 07:45 AM

All of my new ISE deployments use TEAP with the Windows native supplicant.  EAP-TLS for Apple and mobile devices.  The only use-case for NAM is if MACSEC is required.  

All of my customers that previously had EAP-FAST using NAM deployed have since migrated to TEAP once their fleet was fully migrated to Windows 10/11.

0 Helpful

dropped_packetz
Level 1
Level 1
In response to ahollifield

‎04-02-2025 09:13 AM

Yeah, that's what I figured.  ISE kind of got dropped in my lap to take care of about 2 years ago.  Even before that, we had other companies come in and take care of upgrading it for us and just giving us whatever extra we needed (i.e. switch config, etc.), so not like anyone else in my Department was an ISE expert neither.  It looks like at one time, we were trying to use it to monitor workstations had the correct versions.  I do have entries in Client Provisioning for different versions of AnyConnect and Umbrella before I got involved.   We recently had someone help us upgrade to 3.3 and we looked at this, but he noticed that there was nothing in place to act upon the results from the software check, so we took the posture and isecompliance module out of our install when we upgraded everything from AnyConnect to Secure Client recently, so now we just have the VPN Core, NAM, DART and Umbrella being installed.  The guy who helped us upgrade to 3.3 did bring up moving to TEAP but it was at the tail end of the upgrade and there was too many moving parts to get approved by the powers to be and work on it before the project got closed out.  I'm sure if it would of been brought up in the initial discovery of the project, we def could of made it happen, but I did not have the knowledge of it at that time to bring it up.

0 Helpful
Customers Also Viewed These Support Documents