Hi there,

I am also having a problem with Certificates.

Can I understand what certificates should go where?

currently, i have a signed certificate from my internal CA for the ISE. That has been imported and bound and works fine when navigating to HTTPS://

on the client, I have a signed certificate from the CA also, which has been imported and I can see it in the local certificate store under Personal folder.

Should I need any other certificates on the machine or the ISE to get EAP-TLS working?

I am trying to authenticate the machine and the user currently logged on. User's do NOT have a cert, only the machine does. Do the users need a cert for EAP TLS too?

thanks

Mario

Hi Mario.

Did you get this to work? I allso am trying to use machine cert to authenticate the device and username/password for the user.

Hi, yes I got this to work by using 2 authentication policies in the ISE. 1 policy was for the machine auth and allows Eap-tls ONLY and to use a cert profile as identity source. Then second policy was created for user auth and allows Eap- peap ONLY and use my AD as a identity source.

Try that... It's a while since I played with it now. But I can lab it up again if you ge stuck.

Thanks

Mario

Thanks I'll try it. At the moment I got PEAP only to work. Now I am setting up EAP-TLS, getting a cert error but I think I forgot to import a cert to ISE. My main concern at the moment is how to get the client machines to do both EAP-methods. My testmachine is Windows Vista and I can only get it to do machine or user authentication in the wireless profile, not both.

I got EAP-TLS working for machine cert. Now I just have to combind them

But I am not sure I got the concept right. I'll insert print screens below. I am not getting a hit on the authorization rule.

OK,

so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.

The authentication policy was allowing EAP-TLS & EAP-PEAP.

I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.

What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.

In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings

When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.

Hope that helps.

Mario

Yes that helped alot! Thank you. Will try to see if I can get it to work now.

sure, let me know how it goes and rate the post if you have time.

thanks!

Mario