hi @Rob Ingram  so thanks for your reply

some questionsover TEAP
What is the advantage in my situationusing use TEAP?
I've read that using TEAP, you can authenticate both the computer and the user at the same time, but I'm not sure what the benefit of doing it

Could you provide me with a short example?

Regarding machine and user certificates

My cliencertificate is merely a user certificate.

I want to understand when you use user certificate it does not involve AD. It only checks with AD for the athorization it is right? CN has to be the same as AD username otherwise ISE will not be able to look up the user against AD to fetch the user group info.
Only the CN name will show up on the report so that's all you have to query against.

In order to strengthen security, it is necessary to add the user's policy authorizacuin on ISE with AD to the authorization policy.
otherwise it is not required?

I'm uncertain about the machine certificate.
I wish to comprehend when you have a machine certificate, but it's unclear to me.
What is the advent6age for if it only controls the machines that belong to the dominion and has a machine certificate?
how is the process when using a certificate on a machine?

What is the propuse for the ISE authorization policy assuming the True machine.

So thanks

hi @Rob Ingram 

I have one more query.sorry

My idea was for incrise the security to do an authorritazion condicion the user has to belong AD especific group
If the user is an AD member, pass I can´t to do it and i have a dilema  because my customer will also have mobiles corporate with a certificate.
and ask me how to make this SSID as secure as possible while the user is connecting via a mobile device.
Is there a any policy authoritation condition for do it more secure?

@athan1234 Using TEAP (EAP Chaining) is the most secure authentication method. If using TEAP with machine and user certificates, ISE can do a lookup to AD against the username in the certificate to determine AD group membership for authorisation.

For the mobile devices I doubt they can do TEAP, so you would need to use EAP-TLS with a device certificate, which can be deployed via an MDM.

@athan1234 yes, define the EAP-TLS in the authorisation rule, only the client configured to use EAP-TLS will match that rule. The client devices configured to use TEAP will not match that rule. That's were you'd configure the EAP Chaining.

@Rob Ingram 

Well, you are correct; nonetheless, I want to talk to you about mobile authentication using TLS.

• If TEAP is used for authentication and this authorization
• If EAP-TLS authentication is used for corp mobile  this authorization.
  

I'm not sure how to build up a condition because my client's does not want to have a MDM. Do you understand me?
Any suggestions when traffic is coming from mobile corporations? ( certificate )

@athan1234 if Corporate devices use TEAP and mobile devices use EAP-TLS, you just need to distinguish between using at least the authentication method.

Use the condition EAP-TLS in an authorisation rule, then you know only the mobile devices will match that rule. You can also add a condition to match on the certificate issuer, such as your internal CA only. How you'll get a certificate on the mobile devices without an MDM is another problem.

For the corporate devices you can use "Network Access·EapChainingResult Equals User succeeded and machine succeeded" so you know TEAP was the authentication protocol used, the mobile devices will not match these rules. You can do an AD group lookup for the TEAP devices, for group membership of the users and add that as a condition in one of the rules as well.