cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3711
Views
0
Helpful
10
Replies

Dot1x plus certificate authentication in ISE

Pranav Gade
Level 1
Level 1

Dear all,

Can any one help me out for configuring Dot1x plus  certificate authentication in ISE box. We are having ISE 3315 with 1.1.1  version where in we need to configure certificate base authentication.  The idea behind is we want to restrict the access to device which not  belong to company asset means personal asset of employee need to restrict if they try to connect the company network.

How we can configure dot1x plus certificate base authentication in cisco ise box?

Can any one help me out to resolve this kind of issue?

Thanks

Pranav

1 Accepted Solution

Accepted Solutions

Pranav,

Here are the steps in activating/verfying if machine authenticaiton is enabled on Win7 clients:

http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/5e1bbaa4-9dad-40da-8e53-a7d67e17c20b/

Also here are the steps in configuring the cache timer for machine access restriction in ISE

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wpxref37158

Here is some background about how ISE enforces machine access restriction:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html#wp1116684

In your authorization policy for domain users you will have to add the condition for "was machine authenticated" and set that to true.

Tarik Admani
*Please rate helpful posts*

View solution in original post

10 Replies 10

Tarik Admani
VIP Alumni
VIP Alumni

Pranav,

Have you considered machine authentication + user authentication? You can acheive the same results without having to deploy eap-tls and certs if you havent already. For your user authentication you can add the condition "wasmachineauthenticated" to your session. Are you allow these same users to gain access with personal mobile devices?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik,

Currently we are not having machine accounts with AD so still can we acheived Machine authetiction + User authentication ??

Tarik,

We are only looking for personal machine like Laptops only who will going to connect dot1x port.

If that asset is company asset then it will go to authentication,authorization process .. If its not a company asset then it will restrict the network or limitted connectivity.

It will great if you can help me out for the same or any workarround for the same.

Thanks

Pranav

Pranav,

You mentioned that the if the asset is a "company asset" then that leads me down the path that these machines are a member of your AD domain correct (domain computers group should have a entry for these machine accounts)? If so please use machine access restrictions to move past this issue.

thanks,

Tarik Admani
*Please rate helpful posts*

He Tarik ,

Thanks for your reply can you please guide me how to acheive this by using machine authentication ??

Can you please tell me the configuration step what need to do ?

Thanks

Pranav

Tarik Admani
VIP Alumni
VIP Alumni

Which OS are your machines running?

Sent from Cisco Technical Support Android App

Win 7 32/64 bit , Win Vista 32/64 bit and Win Xp 32/64 bit

Pranav,

Here are the steps in activating/verfying if machine authenticaiton is enabled on Win7 clients:

http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/5e1bbaa4-9dad-40da-8e53-a7d67e17c20b/

Also here are the steps in configuring the cache timer for machine access restriction in ISE

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wpxref37158

Here is some background about how ISE enforces machine access restriction:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html#wp1116684

In your authorization policy for domain users you will have to add the condition for "was machine authenticated" and set that to true.

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

Thanks for your reply. Just for my knowledge ,can you please provide me any documents  for having certificate authentication through ISE.

Thanks

Pranav

Machine authentication is not a dependable solution for identifying AD member computers. There are many caveats, and users will face multiple wifi issues. Most basic issue is that Windows clients can do either machine authentication or user authentication but not both during a wireless authentication process (unless you use a third party eap chaining tool such as ISE AnyConnect agent). There are other issues when cache timeout, users switching between wired and wireless, etc. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: