Re: WLAN 802.1x certificate based client authentication

fuhrersk8 · ‎10-27-2022

Hi Guys,

We want implement a WLAN with 802.1x certificate based client authentication. I am following the document Understand and Configure EAP-TLS with a WLC and ISE , but is there a way to automatically install the certificate on the client machines without having to go manually to each? Like for example, the clients downloading the certificate form the ISE.

Thanks for your support.

Regards,

Arshad Safrulla · ‎10-27-2022

If all the clients are part of the domain, you can deploy the certificate using a GPO. https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy#:~:text=To%20distribute%20certificates%20to%20client%20computers%20by%20using%20Group%20Policy

If you have non-domain devices, then you need to deploy it using a MDM solution. Explore your MDM vendor for more info on how to do.

Certificates Payload (Pushing Certificates) - Cisco Meraki

Create trusted certificate profiles in Microsoft Intune | Microsoft Learn

Certificate Management | ManageEngine Mobile Device Manager Plus

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Haydn Andrews · ‎10-27-2022

What Arshad said. Other options look at securew2.com if you need a managed PKI environment to do this

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

fuhrersk8 · ‎02-23-2023

Ok. Thanks for the suggestion.

With respect to the already installed certificates on the ISE from factory, will these work for 802.1x client authentication?

Thanks again.

Regards,

Scott Fella · ‎02-23-2023

I think you need to at least have domain services and pki in your environment to successfully do this. The client along with the radius has to trust the certty chain. You can always try and use whatever cert you are using on ISE for EAP, but you will have to then upload the chain to the device cert store, manually setup the profile etc. Then you will have to figure out the policy to get all that to work.

You didnt provide if you have a domain you are using, is GPO possible, do you have a CA, what is your radius server and are you currently doing PEAP?

-Scott
*** Please rate helpful posts ***

fuhrersk8 · ‎02-23-2023

Yes, we do have a domain and a CA. But first we are setting a PoC before implementation.

Scott Fella · ‎02-23-2023

For your PoC, you should validate that certificates (user or computer) are pushed to each domain joined machine. Then your ISE should have a certificate installed from your CA (device, intermediates, and root) and make sure that cert is imported and used for EAP. This helps with the two way trust. Then you would push out a wireless profile via GPO for your test SSID and configure the policies in ISEe to authenticate the user/device cert.

Take a look at some guides and blogs on ISE using EAP-TLS and that will help with the steps you need to perform for your PoC.

-Scott
*** Please rate helpful posts ***