06-08-2017 01:29 PM - edited 03-11-2019 12:46 AM
Hi All,
We have ISE 2.0 in production environment and experiencing user certificate auto enrollment issue over the wifi. Computer downloads user certificate from AD fine if it is connected on wired network however if no user certificate installed on computer and a new user wanted to logon computer then it doesn't connect to wifi after logged in because user certificate is not downloaded from the AD and error message is user certificate required.
Authentication & Authorization policy works fine if user certificate is already installed on the computer, Problem is if New user wanted to logon computer and no user certificate is installed on computer then ISE only let it to login on computer but unable to connected to wifi network once logged in.
ISE Authentication policy - Dot1x allowed protocol EAP-TLS and use AD with certificate
ISE Authorization policy - User Or Computer Domain AND Session: PostureStatus EQUALS Complaint the Permit All
06-08-2017 05:45 PM
Hi
You're trying to download a certificate on a ssid that's configured to grant access only to authentified users with certificates
To do that you'll need to do a byod single ssid setup.
This configuration is done on ise and it'll allow users to authenticate with user/password with limited access (mschapv2) while enrolling the certificate and then connect back with certificate (tls) with full access.
I don't have any ise server right now that's why I dropping a Cisco doc. Examples are made in an older version but it's quite the same in 2.0, even easier.
https://communities.cisco.com/docs/DOC-68160
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
06-09-2017 03:07 AM
That’s correct we are unable to connect to ssid which is configured to use user certificate only if user certificate is not installed already on the machine which also stop multiple users to connect same machine. The solution you have mentioned is that means we have to allow PEAP & TLS allowed protocol in authentication policy then in authorization policy allow the mschav2 for the limited access while enrolling the certificate?
I tried this method but had an issue. I also have to modify the wifi profile on the client machine to accept PEAP before that it was certificate only.
We also don't want client to connect twice ssid one time to allow certificate enrolment and then reconnect to have full access
Do you think any other solution
06-09-2017 04:39 AM
Hi
The other solution would be to do byod with 2 ssids or to deploy certificates through gpo for Windows machines
Thanks
PS : Please don't forget to rate and mark as correct answer if this answered your question
06-13-2017 12:43 PM
Hi Francesco,
I have tried to setup 2nd ssid but it didn't work. Could you please guide me how to setup the 2nd ssid to get user certificate?
We want this solution for the Windows machines only and all machines are company machines in this case ideal solution is to deploy certificate through gpo. But how AD can deploy the certificate if machine is not connected to SSID because of missing certificate? Hope you are with me what I am trying to say?
06-13-2017 06:23 PM
Hi
First of all, regarding windows GPO for user certificate auto enrollment, there are a lot of technet that you just need to follow. I'll past some links but can't help you more in detail as I'm not a windows guy.
https://technet.microsoft.com/en-us/library/cc771882(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc770857(v=ws.10).aspx
If you want to do enrollement through your SSID with 1 or 2, the process is the same:
- create a redirect acl on WLC to force non TLS users to be redirected to ISE BYOD portal.
- create a authorization profile, like provisionning redirecting to ISE BYOD and applying the wlc acl created before
- on Authorization policies, you'll have your 1st byod rule for all registered devices and users authenticated through TLS to get a PERMIT any
- your 2nd byod rule will be for all users authenticated through MSCHAPv2. They will get as result the provisionning profile created before.
Which version of ISE are using? If 2.2, you have a wizard called "Wireless Setup". The feature is cool because it can do everything automatically and show you steps by steps the config process.
Thanks
PS : Please don't forget to rate and mark as correct answer if this answered your question
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: