Re: Multi-Organisation NAC Query

KatherineTran · ‎08-24-2022

Hello All,

I've found myself in a problematic situation for a design we are planning whereby a new site we are opening has two organisations (our own organisation) and another organisation collaborating on a new site. The technologies we will be using are Cat 9300s and a dedicated ISE deployment on-site. The ISE deployment will also be used for various mutual MAB devices.

We want to utilise ISE to enforce NAC however for the corporate users, it's become clear to me from researching that as both of us use certificate-based authentication (eap-tls) we, therefore, rely on the single EAP certificate (ISE can only have one EAP certificate installed for the role) therefore has triggered this conversation.

I was thinking of utilising an external radius server to the organisation's home sites however we won't be able to identify which requests are whos without defining switch/port ids unless it's possible to proxy to one organisations RADIUS server and then proxy to the next if there is a failure! Are there any design options here? I suspect unfortunately it is what it is.

Note: It is not an option to change the organisations to use the same CA/certificates.

Warm Regards

KT

Rob Ingram · ‎08-24-2022

@KatherineTran use a publically signed certificate for the ISE EAP certificate, each organisation's devices should therefore trust this certificate. Then if you wish to do user/machine EAP-TLS authentication with each organisation signing their own certificate, upload each organisations root CA certificates to ISE's trusted store.

davidgfriedman · ‎08-24-2022

If you plan to have 802.1x with devices not 100% managed (MDM) by company, I would recommend you go with a public EAP certificate, such as one from Entrust. Why?

1. If you want good security, you'd need to provide the vendors with your chain so they can have it installed on their vendor-managed devices to validate the EAP server. We don't happen to like or to want giving that out. If you use one from Entrust, they should have that in their image's certificate chain (Linux, MacOS, iPadOS, IOS, Windows, *Nix variation, etc.)
2. If you have vendors give you their certificate chains to be able to read their vendor-managed certificates, then you must have good records on how to contact their company as their team / company information changes over the years. You also become responsible for it and have to stay on top of the certificate expiration and persistently pursue them to avoid outages, or be blamed for "outages" if you don't get the renewed certificate chain in time.
3. If the vendors revokes any of their certificates, how would you know the device should be blocked from your network? Another reason to push for your company to be able to install an MDM on the vendor devices: certificate lifecycle management, plus control over individual device revocation and blockage.

Good luck,
David

hslai · ‎08-29-2022

If EAP-TLS and if the org name is part of the common name in the client certificate (e.g. UPN (@example1.com)), then that should be shown as part of the User-Name for the RADIUS authentication and can be used as a condition to proxy the requests.