Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1340
Views
0
Helpful
4
Replies

Best way to run 802.1x with Linux workstations

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-29-2019 11:05 AM - edited ‎02-21-2020 11:04 AM

I am currently gathering information on whether or not implementing 8021x on a small footprint of linux hosts mostly running Centos is worth the squeeze. Since linux hosts are unable to work like windows machines using auto-enrollment etc. in my experiences I have simply used mab for linux workstations. Also, I have noticed that my test workstation running centos 7.X is not capable of running peap(eap-tls).

A few questions I have for the community:

I have seen manual ways of doing certificate enrollment. Does anyone know of a way to automate the enrollment?
What is the best way to configure the linux image if I am unable to automate the enrollment?

I would prefer to use peap(eap-tls) or eap-fast(eap-tls), but obvioulsy eap-fast is out of the picture since I cannot run NAM on the workstations. It also seems that peap(eap-tls) is a no go as well. Please share your opinions and experiences. Thanks in advance.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎04-29-2019 05:23 PM

Yes the certificate provisioning portal and APIs

No ise byod onboarding automation works with windows Mac OS X Apple iOS chrome and android

There is nothing automating for Linux, you will need to investigate if another vendor does that thru a management platform

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎04-29-2019 02:39 PM

Hey @Mike.Cifelli 

 

Have a look for WPA Supplicant (wpa_supplicant) - it's usually a config file that contains the supplicant configuration and varies by EAP method.  It has pointers to the client/server certs etc.  It's one way of doing it - I have not seen any GUI Supplicant configs in Linux - maybe the newer Ubuntu distro has it (19.04) ?

 

I thought a decent MDM might also do the job?

 

cheers

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎04-29-2019 02:45 PM

You can use ise internal CA scripting to roll your own but there isn’t a document for that
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Jason Kunst

‎04-29-2019 03:16 PM

Hi @Jason Kunst  - you are referring to client certificate self-service portal ?  Yes I probably should have mentioned that as well.  This will help you request a client cert - but I think the output will be a cert and a private key - these components need to be installed on the client device and then the supplicant configured to use this cert.  I have not looked into whether the ISE CA self-serv portal has anything to do with the client install itself.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎04-29-2019 05:23 PM

Yes the certificate provisioning portal and APIs

No ise byod onboarding automation works with windows Mac OS X Apple iOS chrome and android

There is nothing automating for Linux, you will need to investigate if another vendor does that thru a management platform
0 Helpful
Customers Also Viewed These Support Documents