Solved: Smartphone Authentication via EAP-TLS on Cisco ISE

rafaelsalvinos · ‎02-02-2024

Hey guys!

I am studying a demand to enable smartphone authentication on the BYOD network, with authentication via EAP-TLS on Cisco ISE.

I have experience in previous projects, where I configured EAP-TLS authentication for computers, which received a personal certificate via GPO, generated by the Internal CA, a certificate that makes up the ISE's chain of trusted certificates.

Could you tell me how I can enable smartphone authentication through a certificate, authenticating with Cisco ISE?

Note: My Internal CA is not capable of generating certificates for smartphones.

Is ISE capable of generating a certificate to authenticate smartphones? If not, what would be the alternative to enable this method of smartphone authentication in ISE.

Aref Alsouqi · ‎02-04-2024

You're welcome. How did you go to this portal page? did you click on the test portal link from within the portal settings or via its FQDN?, if you'd done it via the test portal link it wouldn't work I think. However, if you'd done via its FQDN then please check if the internal CA services are showing green under Administration > System > Certificates > Certificate Authority > Internal CA Settings. If they are up and running as expected, please share the "Certificate_Endpoint_Test_2024" certificate template for review.

View solution in original post

Ruben Cocheno · ‎02-03-2024

@rafaelsalvinos

Below is the best prescriptive guide for BYOD on ISE, and it will give you all you need and more.

https://ciscocustomer.lookbookhq.com/iseguidedjourney/ise-byod-certificates

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Aref Alsouqi · ‎02-03-2024

Yes, ISE is capable to do this through configuring BYOD onboarding portal. That will allow the corporate users to use their own devices when they connect to wireless. In this case ISE will be acting as your internal CA but only to issue certificates for the BYOD users, and it will also allow you to configure an "onboarding" profile that will take care of configuring their personal devices with the right wireless settings.

However, please note that for android devices they would need to download the network setup assistance software from Google play before they are onboarded, during the onboarding process they will get a page with the link to download the software. There is no need to do any manual download with Apple devices.

Also, please note that BYOD in ISE could be configured with a single or dual SSIDs. If you have guest users that would need to use the same portal, then dual SSIDs would be the best option. Although both guests and BYOD users would start with the same SSID, the BYOD users will be taken to a different SSID once they complete the onboarding. However, if there are no guests that would need to leverage this service, then a single SSID would do the trick.

As you can see from the link provided by @Ruben Cocheno, this is one of the biggest topics in ISE and requires bunch of configuration to be done before the flow is ready to serve the users. However, here are the four videos provided by labminutes.com (one of my favourites study/upskilling sources) that should cover everything for you:

How to Configure ISE 3.0 BYOD Wireless Onboarding (Single SSID Dual SSID) (Part 1) (labminutes.com)

How to Configure ISE 3.0 BYOD Wireless Onboarding (Single SSID Dual SSID) (Part 2) (labminutes.com)

How to Configure ISE 3.0 BYOD Wireless Onboarding (Single SSID Dual SSID) (Part 3) (labminutes.com)

How to Configure ISE 3.0 BYOD Wireless Onboarding (Single SSID Dual SSID) (Part 4) (labminutes.com)

Also, Cisco U (u.cisco.com) also provides an excellent ISE training that also covers BYOD flow alongside all the other ISE portals and flows types. The course is called "Implementing and Configuring Cisco Identity Services Engine".

rafaelsalvinos · ‎02-03-2024

Hi @Aref Alsouqi Thank you very much for the tips, they were very helpful. I'm trying to generate the certificate, using ISE as the internal CA, however, I'm getting this error when I create a certificate. Do you have any idea what the problem could be?

Aref Alsouqi · ‎02-04-2024

You're welcome. How did you go to this portal page? did you click on the test portal link from within the portal settings or via its FQDN?, if you'd done it via the test portal link it wouldn't work I think. However, if you'd done via its FQDN then please check if the internal CA services are showing green under Administration > System > Certificates > Certificate Authority > Internal CA Settings. If they are up and running as expected, please share the "Certificate_Endpoint_Test_2024" certificate template for review.

rafaelsalvinos · ‎02-04-2024

Hi @Aref Alsouqi
The internal CA services were showing as running (green) when I checked in Internal CA Settings, however, I noticed that in "Certificate Authority Certificates", it was not showing any certificates, so I generated a new root certificate chain, following these steps in this document:

Choose Administration > System > Certificates > Certificate Management > Certificate Signing Requests.

Click Generate Certificate Signing Requests (CSR).

Select ISE Root CA from the Certificate(s) will be used for drop-down list

Click Replace ISE Root CA Certificate Chain.

https://www.cisco.com/c/pt_br/support/docs/security/identity-services-engine-30/217161-ca-service-and-est-service-on-ise.html

After this procedure, I was able to generate the certificate. I have already installed the certificate generated on my smartphone and tomorrow when I am at the company I will take the EAP-TLS authentication test to join the BYOD wireless network.

Thank you very much for your support, it was essential for the resolution.

Aref Alsouqi · ‎02-05-2024

Hi Rafael, glad I could help, and thanks for sharing your findings.

rafaelsalvinos · ‎02-05-2024

HI @Aref Alsouqi

I generated an endpoint certificate provisioned through the ISE portal and installed it on the Android 11 smartphone with the same MAC as the generated certificate.

I also installed the CA ISE certificates on the smartphone:
- Certificate Services Root CA
- Certificates Node CA
- Certificates Services Endpoint Sub CA.

I configured the wireless network on the smartphone:
Security: WPA/WPA2/WPA3-Enterprise
EAP Method: TLS
Identity: <I entered the same user used on the ISE certificate portal>
CA Certificate: Certificate Services Root CA
Note: I also did a test pointing to Certificates Services Endpoint Sub CA.
User certificate: <Endpoint certificate generated in the ISE certificate provisioning portal>

I selected the option to use the device's MAC instead of Random MAC.

Still, I was unsuccessful in authentication, I got the following errors, according to the ISE log:

Aref Alsouqi · ‎02-06-2024

Hello Rafael,

I'm not an Android guys (smiley face) so please bear with me. The error is clearly stating that the client can't trust ISE local cert. Who is the issuer of the certificate installed in ISE for EAP services?

rafaelsalvinos · ‎02-06-2024

Hello @Aref Alsouqi

No problem my friend, you've helped me a lot so far.
The certificate issuer installed in ISE for EAP services is Thawte, an external CA.
I understand that in this case I need to install Thawte's Root CA and Intermediate CA certificate on the smartphone, so that it is possible to authenticate via EAP-TLS, correct?

Aref Alsouqi · ‎02-06-2024

Yes, that's correct, otherwise when ISE presents its certificate which has been issued by Thawte, the smart phone won't trust it unless you import its issuer and you associate it to the SSID profile. Best practice to import the whole chain, however, I think it would be enough to import Thawte root CA cert into the smart phone, also because I think in Android you can select only a single CA certificate in the SSID profile.