Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3475
Views
0
Helpful
5
Replies

ISE 2.0 - EAP-TLS user certificate auto enrollment issue over the wifi

sarwarm123
Level 1
Level 1

‎06-08-2017 01:29 PM - edited ‎03-11-2019 12:46 AM

Hi All,

We have ISE 2.0 in production environment and experiencing user certificate auto enrollment issue over the wifi. Computer downloads user certificate from AD fine if it is connected on wired network however if no user certificate installed on computer and a new user wanted to logon computer then it doesn't connect to wifi after logged in because user certificate is not downloaded from the AD and error message is user certificate required. 

Authentication & Authorization policy works fine if user certificate is already installed on the computer, Problem is if New user wanted to logon computer and no user certificate is installed on computer then ISE only let it to login on computer but unable to connected to wifi network once logged in. 

ISE Authentication policy -  Dot1x allowed protocol EAP-TLS and use AD with certificate

ISE Authorization policy - User Or Computer Domain AND Session: PostureStatus EQUALS Complaint the Permit All

Labels:
Preview file
82 KB
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎06-08-2017 05:45 PM

Hi 

You're trying to download a certificate on a ssid that's configured to grant access only to authentified users with certificates 

To do that you'll need to do a byod single ssid setup. 

This configuration is done on ise and it'll allow users to authenticate with user/password with limited access (mschapv2) while enrolling the certificate and then connect back with certificate (tls) with full access. 

I don't have any ise server right now that's why I dropping a Cisco doc. Examples are made in an older version but it's quite the same in 2.0, even easier. 

https://communities.cisco.com/docs/DOC-68160

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

sarwarm123
Level 1
Level 1
In response to Francesco Molino

‎06-09-2017 03:07 AM

That’s correct we are unable to connect to ssid which is configured to use user certificate only if user certificate is not installed already on the machine which also stop multiple users to connect same machine. The solution you have mentioned is that means we have to allow PEAP & TLS allowed protocol in authentication policy then in authorization policy allow the mschav2 for the limited access while enrolling the certificate?

I tried this method but had an issue. I also have to modify the wifi profile on the client machine to accept PEAP before that it was certificate only.

We also don't want client to connect twice ssid one time to allow certificate enrolment and then reconnect to have full access

Do you think any other solution

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to sarwarm123

‎06-09-2017 04:39 AM

Hi 

The other solution would be to do byod with 2 ssids or to deploy certificates through gpo for Windows machines 

Thanks 

PS : Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

sarwarm123
Level 1
Level 1
In response to Francesco Molino

‎06-13-2017 12:43 PM

Hi Francesco,

I have tried to setup 2nd ssid but it didn't work. Could you please guide me how to setup the 2nd ssid to get user certificate?

We want this solution for the Windows machines only and all machines are company machines in this case ideal solution is to deploy certificate through gpo. But how AD can deploy the certificate if machine is not connected to SSID because of missing certificate? Hope you are with me what I am trying to say?

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to sarwarm123

‎06-13-2017 06:23 PM

Hi

First of all, regarding windows GPO for user certificate auto enrollment, there are a lot of technet that you just need to follow. I'll past some links but can't help you more in detail as I'm not a windows guy.

https://technet.microsoft.com/en-us/library/cc771882(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/cc770857(v=ws.10).aspx

If you want to do enrollement through your SSID with 1 or 2, the process is the same:

- create a redirect acl on WLC to force non TLS users to be redirected to ISE BYOD portal.

- create a authorization profile, like provisionning redirecting to ISE BYOD and applying the wlc acl created before

- on Authorization policies, you'll have your 1st byod rule for all registered devices and users authenticated through TLS to get a PERMIT any

- your 2nd byod rule will be for all users authenticated through MSCHAPv2. They will get as result the provisionning profile created before.

Which version of ISE are using? If 2.2, you have a wizard called "Wireless Setup". The feature is cool because it can do everything automatically and show you steps by steps the config process.

Thanks

PS : Please don't forget to rate and mark as correct answer if this answered your question 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents