Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
337
Views
0
Helpful
2
Replies

What certificate is ISE using/How have I connected?

Dan
Level 1
Level 1

‎08-09-2017 01:32 AM - edited ‎03-11-2019 12:55 AM

Hello

My understanding of 802.1x certificate authentication: You can only authenticate if your device has a certificate minted by the same Trusted CA on the ISE Node.

Is this correct?

I have some confusion about how my ISE is working. At the moment Wired and Wireless Dot1x works completely fine.

The auth rule is:

if Wireless 802.1X - Use: AD and CAP.

Authz rule is:

if Wireless 802.1X AND AD Group = Domain Computers - Allow access

This works completely fine, i assumed it worked fine because every device has a certificate on it from our AD. However, if I make a duplicate rule and set it to Domain USERS instead of Computers and connect to our WiFi on a device that DOESN'T have one of our AD certificates (like an iPad or iPhone), as long as the credentials are correct, it allows access.

Why is this happening? Even though the credentials are correct it doesn't have our AD certificate so it should still deny the access attempt - unless my understanding of 802.1x is completely wrong? When I do connect on an iPad it does ask me to accept the ISE nodes local certificate. This was also minted by AD and we have selected the checkbox for EAP and HTTPS when we imported it. Is this where we've gone wrong? Is it just allowing access because this device now has a certificate minted by our AD CA after accepting it? Should we re-import with 'EAP: Use certificate for EAP protocols that use SSL/TLS tunneling' unchecked or will this break all authentications completely?

Thanks in advance for your help.

Labels:
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎08-09-2017 05:43 PM

From what it looks like, you seem to be using PEAP as the dot1x authentication protocol. This builds a TLS tunnel to provide a secure mechanism from for EAP exchanges. PEAP does not require you to have a client side certificate, only the server side certificate (the one issued to ISE) needs to be trusted by the client. PEAP is enabled by default under the "Default Network Access" protocols so that's why this may be working for you. 

It feels like you want to be using EAP-TLS -  which has authenticates both client and server side certificates to build the secure TLS channel. If your setup is correct, you should be able to only enable EAP-TLS as the protocol (under the Authc rule) and see that it works. I would recommend testing this on a separate policy (for a test switch alone) before moving this to production. 

Hope this helps.

0 Helpful

Dan
Level 1
Level 1
In response to Rahul Govindan

‎08-10-2017 12:51 AM

Hi Rahul

Thanks for your response. The Authc rule has EAP-TLS and PEAP enabled. Under the PEAP section (PEAP Inner Methods) there is a check box for Allow EAP-TLS, which is ticked. Does this still not enable client and server side authentication?

0 Helpful
Customers Also Viewed These Support Documents