Dear all,
I recently installed the operating system version for Cisco ISE 3.2 Patch3, on my deployment(Two Nodes)
And I tried to configure authentication for PCs and users, using the TEAP protocol.
With internal method of EAP-TLS type.
The authentication phase works correctly, the Windows 10 test PC accesses the network using TEAP(EAP-TLS). The user does the same thing, even if a username and password is used to access the domain, via Kerberos5 towards the Domain Controllers.
I configured a very simple authentication rule:
The Authorization roules are:
These policy sets are very simple, I'm using them to try to understand how the authorization process works on users.
With the above Authorization rules, if the user fails to authenticate to ISE using EAP-TLS, he can still access the PC with the domain user and password, and therefore access the network. If I want to avoid this situation how should I configure the authorization roules?
I tried putting Deny as result profile instead of permit, and in this case when the PC has started and has already authenticated to the network (EAP-TLS) and remains on the login screen waiting for user credentials, it is blocked by the ISE.
If you log in with a user with a valid certificate, the ISE unlocks access to the PC network. But this only works if the user already has a profile defined on the PC.
If it is a first access, and therefore there is no user profile on the PC, the machine access to the network remains blocked, with a deadlock.
Can you help me pls?
Bye,
JF.
Accepted Solutions
