Solved: Re: Mixing internal users and certificate authentication on ISE

AK59 · ‎05-15-2024

Hello everyone,

We actually use an ISE (version 3.1) to authenticate endpoints in wifi using a certificate.

The configuration is pretty simple but now we want to allow authentication for internal users (created and stored in the ISE)

Problem is, the users don't use a certificate.

In our policy set, the PKI server is explicitly used in the Authentication Policy

We can change that option and select a specific Identity Source Sequence including Internal Users, but the criteria "Certificate based Authentication" is also ticked.

Our question is :

If we replace the PKI server on the Authentication Policy by the sequence shown above (using Internal Users/Certificated based), will it authenticat an internal user without certificate ?

Thanks in advance,

PS : We have this "Advanced Search List Settings" option that seems to answer our question but we're still skeptical regarding the certificate based option.

Arne Bier · ‎05-16-2024

I tend to make one RADIUS Policy Set per SSID (in organizations that have more than one 802.1X SSID)

Help ISE to select the appropriate authentication method (column "Use") by testing the EAP Method used.

In my example, the top Condition uses the default "Allowed Protocols" - in practice I would make a custom one, and include only EAP-TLS and EAP-PEAP (and untick all the other boxes)

Example below:

View solution in original post

Arne Bier · ‎05-15-2024

You don't change anything in the Identity Source Sequence, nor in the Certificate Profile. The difference between cert auth (EAP-TLS) and username/password auth (EAP-PEAP) is handled during Authentication.

The way it's done is to check what EAP Method is being used in the ISE Authentication in the Policy Set.

If Network Access-EapTunnel EQUALS PEAP then use Internal Users

If Network Access-EAPAuthentication EQUALS EAP-TLS then use Cert_Profile

In the Authorization part of the Policy Set, you can again differentiate between cert and credential auth, if you must treat them differently. E.g. If you know that PEAP authentications are users whose accounts live in ISE, then you can make that as part of an AND condition

If Network Access-EapTunnel EQUALS PEAP AND InternalUser Identity Group EQUALS Employee then .....

Remember that Authorization happens AFTER successful authentication - which means you don't have to test logic conditions that passed in the Authentication stage - you only do it if there is ambiguity.

AK59 · ‎05-16-2024

Thanks Arne for the reply.

I forgot to mention the fact that before using the Authentication Policy there is a first rule with "Wireless 802.1x" as a condition and as allowed protocol "EAP-TLS".

Do I have to create a whole new policy before that one and specify Wireless 802.1x as condition and PEAP as Allowed Protocols ?

Arne Bier · ‎05-16-2024

I tend to make one RADIUS Policy Set per SSID (in organizations that have more than one 802.1X SSID)

Help ISE to select the appropriate authentication method (column "Use") by testing the EAP Method used.

In my example, the top Condition uses the default "Allowed Protocols" - in practice I would make a custom one, and include only EAP-TLS and EAP-PEAP (and untick all the other boxes)

Example below:

AK59 · ‎05-17-2024

Thank you it's very clear now !