Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
2
Helpful
5
Replies

Implementing 8021x in network

Go to solution
jesse.garcia11
Level 1
Level 1

‎07-20-2023 03:44 PM

We are implementing 8021x this summer and I am reading this great Cisco white paper: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213919-configure-802-1x-authentication-on-catal.html

It goes into depth on how to configure the WLC and ISE for implementing the 8021x network, which is what we will be using. But it does not go into any detail on certificate configuration and placement. If anyone has any good documentation or advice on how to get the certs created and installed it would greatly be appreciated. Thank You in advanced. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonatan Jonasson
Level 4
Level 4

‎07-20-2023 05:08 PM

As mentioned, there are configuration guides for ISE that go over the configuration steps in ISE with some overview.
Here's the guide for 3.x: Configure EAP-TLS Authentication with ISE
For other parts I fear the question is too open or general.
The certificate creation depends on your environment.
For example, if you have an on-premises AD environment, and maybe an existing PKI infrastructure, it would make sense to use your existing PKI infrastructure to generate the EAP certificate to use on the ISE nodes.
At the end of the day the clients that authenticate need to trust the EAP certificate on the ISE, and if you're using certificate authentication like EAP-TLS, the ISE needs to trust the CA that issues the certificates to the clients.

As an example, if you have a windows-only environment using on-premises Active Directory, a simple solution is to use (or set up) a Microsoft CA, which can be on a standalone server or co-exist on another win server.

  • Create a CSR for the ISE nodes and use this CA to sign the certificates used for EAP certs.
  • Set up certificate enrollment so that all clients/computers get a computer certificate.
  • Use AD group policies to configure the wireless and wired 802.1x settings on the clients.
  • This might get you to the point where you can say "only our domain-joined machines are able to connect to the network".**
  • And once you gain confidence in this area you can start exploring the more advanced settings.

** there are additional security aspects you need to look into once you've reached this stage, such as can the certificate be exported off the computer and what can someone do with a stolen laptop.

If your workstations are domain-joined using AzureAD, or if you have MacOS or linux computers, there may be additional steps to look into.

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎07-20-2023 04:11 PM - edited ‎07-20-2023 04:11 PM

what is Mode 
EAP-TLS ? if Yes 
then 
Understand and Configure EAP-TLS with a WLC and ISE - Cisco

Go to solution
jesse.garcia11
Level 1
Level 1
In response to MHM Cisco World

‎07-21-2023 07:50 AM

Thank you for this. I will be reading it today. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jesse.garcia11

‎07-21-2023 12:35 PM

You are so so welcome'

Any time friend 

MHM

0 Helpful

Go to solution
Jonatan Jonasson
Level 4
Level 4

‎07-20-2023 05:08 PM

As mentioned, there are configuration guides for ISE that go over the configuration steps in ISE with some overview.
Here's the guide for 3.x: Configure EAP-TLS Authentication with ISE
For other parts I fear the question is too open or general.
The certificate creation depends on your environment.
For example, if you have an on-premises AD environment, and maybe an existing PKI infrastructure, it would make sense to use your existing PKI infrastructure to generate the EAP certificate to use on the ISE nodes.
At the end of the day the clients that authenticate need to trust the EAP certificate on the ISE, and if you're using certificate authentication like EAP-TLS, the ISE needs to trust the CA that issues the certificates to the clients.

As an example, if you have a windows-only environment using on-premises Active Directory, a simple solution is to use (or set up) a Microsoft CA, which can be on a standalone server or co-exist on another win server.

  • Create a CSR for the ISE nodes and use this CA to sign the certificates used for EAP certs.
  • Set up certificate enrollment so that all clients/computers get a computer certificate.
  • Use AD group policies to configure the wireless and wired 802.1x settings on the clients.
  • This might get you to the point where you can say "only our domain-joined machines are able to connect to the network".**
  • And once you gain confidence in this area you can start exploring the more advanced settings.

** there are additional security aspects you need to look into once you've reached this stage, such as can the certificate be exported off the computer and what can someone do with a stolen laptop.

If your workstations are domain-joined using AzureAD, or if you have MacOS or linux computers, there may be additional steps to look into.

Go to solution
jesse.garcia11
Level 1
Level 1
In response to Jonatan Jonasson

‎07-21-2023 07:51 AM

Great write up. This is definitely putting me in the direction I want to go. I will be reading and reviewing this. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card