cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1034
Views
0
Helpful
5
Replies

Windows EAP-TLS with machine cert only?

Leroy Plock
Level 1
Level 1

Hey all. Seems like this should be an easy question, but after doing some reading, I'm still a little confused.

Can I authenticate a windows computer against ISE using EAP-TLS with a computer-only certificate and stay authorized when the user logs in? Or will it always try to authorize the user when they log in and break the connection if that fails?

Thanks for any clues.

5 Replies 5

You can stay logged in with the computer cert and not reauth. The setting to reauth is done on the supplicant you are using. Are you using windows native or anyconnect as the supplicant for 801.2x?

Thanks, Nicholas.

We've been using the native windows but will be moving to Anyconnect.

On the native client you can set the settings for 802.1x for the wireless settings of that Network for computer auth. It should only use the computer settings to authenticate and shouldn't change upon user login.

If using the anyconnect client. Download the profile editor and make configure the network through that and you can modify all sorts of settings. One being for computer auth or user auth and to allow for connection to be extended beyond log off.

 

Generally if you have it for computer auth the machine will authenticate prior to logon and shouldn't change based off login or logout of the machine.

Thanks, that's what I thought but the more I read the more I was confused. As a followup question, can you explain what EAP Chaining is? Does it apply to EAP-TLS or only EAP-FAST?

Hello Leroy-

EAP Chaining (Official name:EAP-TEAP [RFC-7170]) is a method that allows a supplicant to perform both machine and user authentication. In ISE, EAP-Chaining is enabled under the "EAP-FAST" protocol. For more info check out the the following links

Cisco TrustSec Guide:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

RFC:

https://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01

 

Thank you for rating helpful posts!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: