View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0045 - ISE 1.1 Wired 802.1X and Machine Authentication with EAP-TLS

SEC0045 - ISE 1.1 Wired 802.1X and Machine Authentication with EAP-TLS

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security

The video walks you through configuration of wired 802.1X using EAP-TLS on Cisco ISE. We will look how to configure authentication and authorization policies to support both user and machine authentication, how to restrict network access with DACL, and how to use Machine Access Restriction (MAR) to correlate user and machine sessions to ensure a user can access the network only from a domain (corporate) computer. We will perform testing from both domain and non-domain computers and observe the authentication results.

Topic:
  • Certificate Profile (Common Name)
  • Identity Source Sequence 
  • User and Machine Authentication with EAP-TLS
  • Policy Element Condition
    • Authorization (Compound Condition)
  • Policy Element Result
    • Authentication (Allowed Protocol)
    • Authorization (Downloadable ACL)
    • Authorization (Authorization Profile)
  • Authentication Policy
  • Authorization Policy
Note:
  • EAP-TLS is a certificate-based authentication. 
  • With EAP-TLS, client certificate is required, and the server root certificate needs to be trusted or the certificate validation needs to be exempted on the client supplicant
  • User and machine certificates should not allow to be exported, otherwise the security will be circumvented
  • Machine authentication only happens at the Windows login
  • Account log-off or machine reboot may be required to force machine authentication
Tag: 
ISE
802.1x
eap-tls
wired
certificate

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

67 comments

Submitted by admin on Sun, 03/08/2015 - 10:30

Thank you for the update on the resolution.

Submitted by saahil on Wed, 06/22/2016 - 10:14

I am having a tough time with Windows 7 supplicant to work using user and machine cert. I can only get the machine to authenticate but the user authentication does not flow after machine auth. However if i disable and enable nic after machine authentication then i can see a user auth via TLS come through and go through the right flow and get full access.

Submitted by admin on Sat, 06/25/2016 - 20:55

Yes.. EAP-TLS works the same way since ISE came out although the problem you described does not seem to be related to ISE but the supplicant. If you set the Windows .1x profile to User or Computer auth, machine will authenticate at Windows login screen and only after user has logged into Windows that user auth will happen.

Submitted by lnhquang1993 on Wed, 09/27/2017 - 10:12

Hi, I want to ask a question. Is there any way to make Switch skip authentication process if ISE down or Switch can't connect to Cisco ISE. Cause sometime because some reason ISE down or lost connection from office to Headquarter and the Switch cann't connect to ISE. Client in office won't able to access network to do their job, they can't wait engineer from HQ come and fix issue cause it take too much time and impact to bussiness too big. I want configure if ISE down, switch skip Authentication process cause if ISE dowwn and client in office even use printer is unacceptable. And of couse if ISE and switch work fine, usser/device must authentication use dot1x orr MAB to get access

Submitted by admin on Sun, 10/01/2017 - 23:04

Yes you can configure the port to fail-open if ISE is not reachable. Please see link below.

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ide...

 

Submitted by lnhquang1993 on Sun, 10/01/2017 - 23:37

Hi, thanks for your answer. And i have one more question is when you create a group of MAC. I don't see where to add a comment for every single MAC address. If the group is too large, you hard to know which MAC belong to the device you looking for. So are there any way to add a comment to MAC in a group ?

Submitted by admin on Mon, 10/09/2017 - 20:33

You should be able to add descrption for each endpoint added. Are you saying this is not the case?

Submitted by lnhquang1993 on Mon, 11/13/2017 - 05:28

For example : ISE version 2.1
If i go to Work Center > Profiler > Enpoint Classification > Add. I can add description for any MAC i add. But when i go to Administration > Identity Groups > Endpoint Identity Groups > [Group-Name]

Ican only see 3 colum without Description columns. Anyway to add Description into it. I guess not right ?

Submitted by admin on Sun, 11/26/2017 - 22:23

Endpoint Identity Group doesn't allow you to add column. Try under Contect Visibility > Endpoint. There you should be able to add column for description.

Submitted by capricorn800 on Thu, 12/14/2017 - 11:00

Hi!

I have user and machines in the same security group. I have different vlan and assigning vlan as per security group memeberhship. Like HR users and computers are part of HR security group.
My machine auth is working fine but when users login then its not switching to User auth policy as the reason is that both are part of same security group. How can I make this working so that it should switch to user auth policy as I need it for Admin users so that when they login they will get Vlan that is for Administrators.

Thanks

Submitted by admin on Sat, 12/16/2017 - 10:06

That does not sound right. User and machine authentication on Windows are always separate regardless of which security group they belong. Machine auth happens at Windows login screen. Once user logs into Windows, user auth should happen. Make sure you have .1x supplicant profile set to do "User or Computer Authentication" and not just "Computer Authentication" 

Submitted by capricorn800 on Mon, 12/18/2017 - 04:59

Hi!

Its set to user or computer authentication.

Any other tip?

It looks like the ISE checks when user login.

I have two policies one for HR computer check and next it the User check with Admin users in Admin security group.

Thanks

Submitted by capricorn800 on Mon, 12/18/2017 - 07:44

ok. It looks like the it cannot find my username because the username is autogenerated number like
t1234242 and certifcate is issues on my first name and last name and I can see Identity resolution failed - ERROR_NO_SUCH_USER error.

Submitted by admin on Tue, 12/19/2017 - 20:57

You can either make sure username is the cert common name or tell ISE to look at different the cert attribute that contains the username like UPN or SAN.

Submitted by capricorn800 on Sat, 12/23/2017 - 02:18

Thanks. any example of using other cert attibute?

Submitted by capricorn800 on Sat, 12/23/2017 - 03:42

I can see user identity form and I can select few options other than common name.

Submitted by admin on Mon, 12/25/2017 - 12:14

On ISE, correct. Select the attribute that contains username in the cert.

Pages