cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
274
Views
0
Helpful
4
Replies

Mixing internal users and certificate authentication on ISE

AK59
Level 1
Level 1

Hello everyone,

 

We actually use an ISE (version 3.1) to authenticate endpoints in wifi  using a certificate.

The configuration is pretty simple but now we want to allow authentication for internal users (created and stored in the ISE) 

Problem is, the users don't use a certificate.

In our policy set, the PKI server is explicitly used in the Authentication Policy 

AK59_0-1715805076550.png

 

We can change that option and select a specific Identity Source Sequence including Internal Users, but the criteria "Certificate based Authentication" is also ticked. 

AK59_1-1715805235330.png

 

Our question is :

If we replace the PKI server on the Authentication Policy by the sequence shown above (using Internal Users/Certificated based), will it authenticat an internal user without certificate ? 

Thanks in advance, 

PS : We have this "Advanced Search List Settings" option that seems to answer our question but we're still skeptical regarding the certificate based option. 

AK59_2-1715805268224.png

 

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

I tend to make one RADIUS Policy Set per SSID (in organizations that have more than one 802.1X SSID)

Help ISE to select the appropriate authentication method (column "Use") by testing the EAP Method used.

In my example, the top Condition uses the default "Allowed Protocols" - in practice I would make a custom one, and include only EAP-TLS and EAP-PEAP (and untick all the other boxes)

Example below:

ArneBier_0-1715900959709.png

 

 

 

View solution in original post

4 Replies 4

Arne Bier
VIP
VIP

You don't change anything in the Identity Source Sequence, nor in the Certificate Profile. The difference between cert auth (EAP-TLS) and username/password auth (EAP-PEAP) is handled during Authentication.

The way it's done is to check what EAP Method is being used in the ISE Authentication in the Policy Set.

If Network Access-EapTunnel EQUALS PEAP    then use Internal Users

If Network Access-EAPAuthentication EQUALS EAP-TLS    then use Cert_Profile

 

In the Authorization part of the Policy Set, you can again differentiate between cert and credential auth, if you must treat them differently. E.g. If you know that PEAP authentications are users whose accounts live in ISE, then you can make that as part of an AND condition

If Network Access-EapTunnel EQUALS PEAP AND InternalUser Identity Group EQUALS Employee   then .....

Remember that Authorization happens AFTER successful authentication - which means you don't have to test logic conditions that passed in the Authentication stage - you only do it if there is ambiguity. 

Thanks Arne for the reply. 

I forgot to mention the fact that before using the Authentication Policy there is a first rule with "Wireless 802.1x" as a condition and as allowed protocol "EAP-TLS". 

AK59_0-1715842573227.png

Do I have to create a whole new policy before that one and specify Wireless 802.1x as condition and PEAP as Allowed Protocols ? 

Arne Bier
VIP
VIP

I tend to make one RADIUS Policy Set per SSID (in organizations that have more than one 802.1X SSID)

Help ISE to select the appropriate authentication method (column "Use") by testing the EAP Method used.

In my example, the top Condition uses the default "Allowed Protocols" - in practice I would make a custom one, and include only EAP-TLS and EAP-PEAP (and untick all the other boxes)

Example below:

ArneBier_0-1715900959709.png

 

 

 

AK59
Level 1
Level 1

Thank you it's very clear now !