Solved: Re: Non domain computer using EAP-TLS via Machine Certificate

daniel.tanch · ‎07-28-2022

Hi,

1) I will like to check and verify is it possible to do EAP-TLS via machine certificate for a non domain join computer? If so how do I go about doing it? The non domain computer will be manually signed by the CA server. As of now, I had a workaround using MAB and it working successfully.

2) Possible to verify that the non domain join computer OS is "Windows" when doing the authentication/authorization? And what are the steps to do it?

Rob Ingram · ‎07-28-2022

@daniel.tanch yes you can do EAP-TLS on non-domain joined computers. You would manually need to create the Certificate Signing Request (CSR), send this to get signed and import the certificate to the local user certificate store and import the trust root certificates. Or alternatively you could possibly use openssl to generate the CSR, get the certificate signed and create a PKCS12 file and import this to the user certificate store.

You would need ISE profiling to determine the Operating System, what profiling probes do you have enabled - you can learn OS information using DHCP and NMAP probes.

What ISE license level do you have? If using ISE 3.x you'd need the Advantage license to use profiling features.

View solution in original post

marce1000 · ‎07-28-2022

- FYI : https://www.cwnp.com/forums/posts?postNum=300324

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Rob Ingram · ‎07-28-2022

@daniel.tanch yes you can do EAP-TLS on non-domain joined computers. You would manually need to create the Certificate Signing Request (CSR), send this to get signed and import the certificate to the local user certificate store and import the trust root certificates. Or alternatively you could possibly use openssl to generate the CSR, get the certificate signed and create a PKCS12 file and import this to the user certificate store.

You would need ISE profiling to determine the Operating System, what profiling probes do you have enabled - you can learn OS information using DHCP and NMAP probes.

What ISE license level do you have? If using ISE 3.x you'd need the Advantage license to use profiling features.

daniel.tanch · ‎07-28-2022

Is there any steps/guides on how to do it on the Cisco ISE? I tried and it failed, thus I tried with a join domain computer using machine certificate, everything was working successfully. Is there anyway to verify if it due to the signed cert on the non domain computer that is causing this problem?

Noted on the 2nd point, currently I am using a trial version (3.x) before purchasing the license.

daniel.tanch · ‎08-01-2022

Hi Rob,

I saw from "https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html", it stated "Active Directory is typically used to support Machine Authentication against the computer account and/or User Authentication against the end-user account in Active Directory." But the computers are not domain joined can it still work using machine authentication (EAP-TLS)?

Rob Ingram · ‎08-01-2022

@daniel.tanch AD is recommended, because as indicated typically computers are AD domain joined....but you can authenticate non-domain joined computers as long as you can enroll the device with a certificate. You can do this using either the initial recommendation, or use an MDM to distribute certficates or use the ISE BYOD portal. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-640661554