cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
466
Views
2
Helpful
5
Replies

Implementing 8021x in network

jesse.garcia11
Level 1
Level 1

We are implementing 8021x this summer and I am reading this great Cisco white paper: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213919-configure-802-1x-authentication-on-catal.html

It goes into depth on how to configure the WLC and ISE for implementing the 8021x network, which is what we will be using. But it does not go into any detail on certificate configuration and placement. If anyone has any good documentation or advice on how to get the certs created and installed it would greatly be appreciated. Thank You in advanced. 

1 Accepted Solution

Accepted Solutions

As mentioned, there are configuration guides for ISE that go over the configuration steps in ISE with some overview.
Here's the guide for 3.x: Configure EAP-TLS Authentication with ISE
For other parts I fear the question is too open or general.
The certificate creation depends on your environment.
For example, if you have an on-premises AD environment, and maybe an existing PKI infrastructure, it would make sense to use your existing PKI infrastructure to generate the EAP certificate to use on the ISE nodes.
At the end of the day the clients that authenticate need to trust the EAP certificate on the ISE, and if you're using certificate authentication like EAP-TLS, the ISE needs to trust the CA that issues the certificates to the clients.

As an example, if you have a windows-only environment using on-premises Active Directory, a simple solution is to use (or set up) a Microsoft CA, which can be on a standalone server or co-exist on another win server.

  • Create a CSR for the ISE nodes and use this CA to sign the certificates used for EAP certs.
  • Set up certificate enrollment so that all clients/computers get a computer certificate.
  • Use AD group policies to configure the wireless and wired 802.1x settings on the clients.
  • This might get you to the point where you can say "only our domain-joined machines are able to connect to the network".**
  • And once you gain confidence in this area you can start exploring the more advanced settings.

** there are additional security aspects you need to look into once you've reached this stage, such as can the certificate be exported off the computer and what can someone do with a stolen laptop.

If your workstations are domain-joined using AzureAD, or if you have MacOS or linux computers, there may be additional steps to look into.

View solution in original post

5 Replies 5

what is Mode 
EAP-TLS ? if Yes 
then 
Understand and Configure EAP-TLS with a WLC and ISE - Cisco

Thank you for this. I will be reading it today. 

You are so so welcome'

Any time friend 

MHM

As mentioned, there are configuration guides for ISE that go over the configuration steps in ISE with some overview.
Here's the guide for 3.x: Configure EAP-TLS Authentication with ISE
For other parts I fear the question is too open or general.
The certificate creation depends on your environment.
For example, if you have an on-premises AD environment, and maybe an existing PKI infrastructure, it would make sense to use your existing PKI infrastructure to generate the EAP certificate to use on the ISE nodes.
At the end of the day the clients that authenticate need to trust the EAP certificate on the ISE, and if you're using certificate authentication like EAP-TLS, the ISE needs to trust the CA that issues the certificates to the clients.

As an example, if you have a windows-only environment using on-premises Active Directory, a simple solution is to use (or set up) a Microsoft CA, which can be on a standalone server or co-exist on another win server.

  • Create a CSR for the ISE nodes and use this CA to sign the certificates used for EAP certs.
  • Set up certificate enrollment so that all clients/computers get a computer certificate.
  • Use AD group policies to configure the wireless and wired 802.1x settings on the clients.
  • This might get you to the point where you can say "only our domain-joined machines are able to connect to the network".**
  • And once you gain confidence in this area you can start exploring the more advanced settings.

** there are additional security aspects you need to look into once you've reached this stage, such as can the certificate be exported off the computer and what can someone do with a stolen laptop.

If your workstations are domain-joined using AzureAD, or if you have MacOS or linux computers, there may be additional steps to look into.

Great write up. This is definitely putting me in the direction I want to go. I will be reading and reviewing this. 

Review Cisco Networking for a $25 gift card