cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

889
Views
5
Helpful
3
Replies
Highlighted
Beginner

Machine and user certificate provisioning for EAP-TLS / SDAccess / onboarding

Hi,

We are going to implement a NAC project with multiple AD Domain for which we will authenticate machines and users with EAP-TLS.

Each domain will have its own CA.
The network will be a SD Access network managed by a DNA center

 

We have made some tests with the different domains and things are working fine.We are able to assign the corect VNI / IP Pool and SGT for each kind of endpoint/user

 

But in our tests, endpoints are already provisionned with required certificates (Root CA, machine certificate and user certificate), and the network adapter is also manually configured for EAP-TLS.


The question is, what is the best way to get an easy onboarding of the machine/user on day 0 when they are going to connect the first time to the network?
What about computer imaging? Will this include user certificate?

 

We can think of a staging area where user can onboard, reinstall their computer but we are looking for a more elegant solution

Do you have some experience to share with this?

 

Thanks

 

 

3 REPLIES 3
Highlighted
Enthusiast

Hi,

 

Actually the question is for the windows team person.

 

They have a create a group policy for the machine and user certificate to auto-enroll with automatically.

 

Also when having near expiry they will need to auto-generate and issue a new certificate as well.

 

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

 

Thanks and Regards

Highlighted
VIP Engager

The question is, what is the best way to get an easy onboarding of the machine/user on day 0 when they are going to connect the first time to the network?
-IMO this depends on your requirements. One way is to track this is via tickets.
What about computer imaging? Will this include user certificate?
-For imaging your best bet will be to have some sort of a process that involves mab authentication so that admins can pxe boot and pull an image from your enterprise services. Once your Windows/SCCM teams fully gets a box domain ready you should be able to rely on GPO and auto-enrollment based on security groups containing domain joined objects to configure the native supplicant and enroll for a cert. During the imaging process and cert enrollment you can also push the cert chain to clients. Then after imaging, cert enrollment, etc. upon next re-auth the clients will move from lets say your staging/imaging network into their respective network based on 8021x auth with specific ISE policies to onboard clients. Something to note from my experience with SDA and onboarding is that depending on the auth template you decide to use you may need to tweak timers and/or the order. As for getting mac addresses into an ISE L2 identity group you have several options IMO. A couple of those being utilizing rest apis to bulk add new macs, or manually creating/adding them. Note that you will want to figure out a way to track this.

AFAIK for multiple AD points you can add up to 50. Also, dont forget to have all the respective chains in the trust store within ISE. Lastly you will want to discuss the overall requirements with your PKI, AD, and server teams from each respective group. Good luck & HTH!
Highlighted
Cisco Employee

There are various caveats around PC build/onboarding in a NAC environment. The easiest solution by far would be to have a separate staging environment. See the posts below discussing related topics around this.

 

PC Imaging on NAC secured ports 

ISE Deployment EAP-TLS Machine or User Certificates Native Supplicant