cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
836
Views
0
Helpful
3
Replies

EAP-TLS with ISE

bret
Level 3
Level 3

I have been reading the Cisco ISE for BYOD and trying to create an Authentication Policy for EAP-TLS. When I build the new policy and add a new condition, then go to Network Access, EAPAuthentication is not an option. So I went to policy element and created a new Authentication, Compond condition and added it to the library. When I try to add it to my Authentication Policy it doesnt allow me to chose it and says only relevant conditions are selectable. Am I missing a step somewhere?

Any help is greatly appreciated and thanks in advance!

1 Accepted Solution

Accepted Solutions

Octavian Szolga
Level 4
Level 4

Hi,

If you want to use a different identity store for BYOD devices, all you have to do is edit the default dot1x rule, and add a condition above you default condition/identity store.

Add an attribute value of Certificate - SAN/Issuer, etc, depending on what's your differentiator between BYOD devices and corporate asset.

 

Please see attached printscreen.

 

 

View solution in original post

3 Replies 3

Octavian Szolga
Level 4
Level 4

Hi,

If you want to use a different identity store for BYOD devices, all you have to do is edit the default dot1x rule, and add a condition above you default condition/identity store.

Add an attribute value of Certificate - SAN/Issuer, etc, depending on what's your differentiator between BYOD devices and corporate asset.

 

Please see attached printscreen.

 

 

Thanks that's what I needed thanks. I was closing out of my current policy and inserting a new above the default. Now I need to get my certs working with my phone and ISE. Currently, we are using packetfence and Mobil iron which issues the certs during registration - still working with security team to see how this is done. When I look at the certs on my phone I can see the root certs, but when I create a SSID and chose a cert the root isnt an option. Any ideas how I can connect using a new ssid with the root certs on my phone?

Hi Bret,

EAP-TLS does not mean that you're using your root CA certificates to connect to the network. You're using instead a machine or user certificate signed by your CA.

The CA's certificate provides the means to check one's presented certificate. Is the same thing with your ID. Somebody did some checks on you (the authorities) and guarantees that you are who you claim to be.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: