08-09-2017 01:32 AM - edited 03-11-2019 12:55 AM
Hello
My understanding of 802.1x certificate authentication: You can only authenticate if your device has a certificate minted by the same Trusted CA on the ISE Node.
Is this correct?
I have some confusion about how my ISE is working. At the moment Wired and Wireless Dot1x works completely fine.
The auth rule is:
if Wireless 802.1X - Use: AD and CAP.
Authz rule is:
if Wireless 802.1X AND AD Group = Domain Computers - Allow access
This works completely fine, i assumed it worked fine because every device has a certificate on it from our AD. However, if I make a duplicate rule and set it to Domain USERS instead of Computers and connect to our WiFi on a device that DOESN'T have one of our AD certificates (like an iPad or iPhone), as long as the credentials are correct, it allows access.
Why is this happening? Even though the credentials are correct it doesn't have our AD certificate so it should still deny the access attempt - unless my understanding of 802.1x is completely wrong? When I do connect on an iPad it does ask me to accept the ISE nodes local certificate. This was also minted by AD and we have selected the checkbox for EAP and HTTPS when we imported it. Is this where we've gone wrong? Is it just allowing access because this device now has a certificate minted by our AD CA after accepting it? Should we re-import with 'EAP: Use certificate for EAP protocols that use SSL/TLS tunneling' unchecked or will this break all authentications completely?
Thanks in advance for your help.
08-09-2017 05:43 PM
From what it looks like, you seem to be using PEAP as the dot1x authentication protocol. This builds a TLS tunnel to provide a secure mechanism from for EAP exchanges. PEAP does not require you to have a client side certificate, only the server side certificate (the one issued to ISE) needs to be trusted by the client. PEAP is enabled by default under the "Default Network Access" protocols so that's why this may be working for you.
It feels like you want to be using EAP-TLS - which has authenticates both client and server side certificates to build the secure TLS channel. If your setup is correct, you should be able to only enable EAP-TLS as the protocol (under the Authc rule) and see that it works. I would recommend testing this on a separate policy (for a test switch alone) before moving this to production.
Hope this helps.
08-10-2017 12:51 AM
Hi Rahul
Thanks for your response. The Authc rule has EAP-TLS and PEAP enabled. Under the PEAP section (PEAP Inner Methods) there is a check box for Allow EAP-TLS, which is ticked. Does this still not enable client and server side authentication?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide