07-28-2022 02:56 AM - edited 07-28-2022 03:00 AM
Hi,
1) I will like to check and verify is it possible to do EAP-TLS via machine certificate for a non domain join computer? If so how do I go about doing it? The non domain computer will be manually signed by the CA server. As of now, I had a workaround using MAB and it working successfully.
2) Possible to verify that the non domain join computer OS is "Windows" when doing the authentication/authorization? And what are the steps to do it?
Solved! Go to Solution.
07-28-2022 05:24 AM - edited 07-28-2022 05:30 AM
@daniel.tanch yes you can do EAP-TLS on non-domain joined computers. You would manually need to create the Certificate Signing Request (CSR), send this to get signed and import the certificate to the local user certificate store and import the trust root certificates. Or alternatively you could possibly use openssl to generate the CSR, get the certificate signed and create a PKCS12 file and import this to the user certificate store.
You would need ISE profiling to determine the Operating System, what profiling probes do you have enabled - you can learn OS information using DHCP and NMAP probes.
What ISE license level do you have? If using ISE 3.x you'd need the Advantage license to use profiling features.
07-28-2022 05:11 AM
- FYI : https://www.cwnp.com/forums/posts?postNum=300324
M.
07-28-2022 05:24 AM - edited 07-28-2022 05:30 AM
@daniel.tanch yes you can do EAP-TLS on non-domain joined computers. You would manually need to create the Certificate Signing Request (CSR), send this to get signed and import the certificate to the local user certificate store and import the trust root certificates. Or alternatively you could possibly use openssl to generate the CSR, get the certificate signed and create a PKCS12 file and import this to the user certificate store.
You would need ISE profiling to determine the Operating System, what profiling probes do you have enabled - you can learn OS information using DHCP and NMAP probes.
What ISE license level do you have? If using ISE 3.x you'd need the Advantage license to use profiling features.
07-28-2022 07:51 PM
Is there any steps/guides on how to do it on the Cisco ISE? I tried and it failed, thus I tried with a join domain computer using machine certificate, everything was working successfully. Is there anyway to verify if it due to the signed cert on the non domain computer that is causing this problem?
Noted on the 2nd point, currently I am using a trial version (3.x) before purchasing the license.
08-01-2022 03:24 AM
Hi Rob,
I saw from "https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html", it stated "Active Directory is typically used to support Machine Authentication against the computer account and/or User Authentication against the end-user account in Active Directory." But the computers are not domain joined can it still work using machine authentication (EAP-TLS)?
08-01-2022 07:08 AM
@daniel.tanch AD is recommended, because as indicated typically computers are AD domain joined....but you can authenticate non-domain joined computers as long as you can enroll the device with a certificate. You can do this using either the initial recommendation, or use an MDM to distribute certficates or use the ISE BYOD portal. https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-640661554
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide