Solved: For your question #1: Someone

minkumar · ‎06-19-2014

Hi Team,

I have employess doing certificate based authentication to connect to the network. Hwever I have few users which donot have certificates at all and they want to have internet access only.

I want to understand what all are my options here to make sure that guest users skip there authentication and get only internet vlan and connect.

Is it possible to have a rule in ISE stating skip the authentication and push only internet VLAN through AUthorization profile.?

Or of there is any other alternate or way available.

Minakshi

nspasov · ‎06-20-2014

Hi Minakshi,

There are several different ways you can do this. The simplest and probably the easiest way to do this via the Guest Portal that is already included in ISE. If this is for wireless, you would:

1. Create a separate SSID and configure it for CWA (Central Web Authentication). You can set the portal to look to AD for let's say allow all "Domain Users" to authenticate

2. You can restrict the actual access either by ACLs configured on the WLC (WLCs do not support dACLs) or dynamic VLAN(s)

If this is for wired, the setup would be similar. You would:

1. Any sessions that fail 802.1x can be redirected to the guest portal. The gust portal can again be set to look to AD for authentications

2. Access can be restricted via DACLs (configured on ISE) or via dynamic VLAN(s)

Take a look at the following docs:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_40_webauthentication_dg.pdf

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_41_guest_services.pdf

Hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎06-25-2014

For your question #1: Someone else can chime in here but I think this is only possible via the BYOD provisioning flow with dual SSIDs. You would have the first SSID where the end user would connect and get redirected to the web portal. After login, the machine would go through an on-boarding process during which a certificate would be installed and the supplicant would be configured to perform EAP-TLS. After that the client would connect to the corporate SSID via EAP-TSL

For your question #2: You do not need AD integration to perform EAP-TLS authentication. AD integration comes handy when you want to also check for an AD user or machine group and/or when you want to use GPO to auto-enroll machine/user certs.

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎06-20-2014

Hi Minakshi,

There are several different ways you can do this. The simplest and probably the easiest way to do this via the Guest Portal that is already included in ISE. If this is for wireless, you would:

1. Create a separate SSID and configure it for CWA (Central Web Authentication). You can set the portal to look to AD for let's say allow all "Domain Users" to authenticate

2. You can restrict the actual access either by ACLs configured on the WLC (WLCs do not support dACLs) or dynamic VLAN(s)

If this is for wired, the setup would be similar. You would:

1. Any sessions that fail 802.1x can be redirected to the guest portal. The gust portal can again be set to look to AD for authentications

2. Access can be restricted via DACLs (configured on ISE) or via dynamic VLAN(s)

Take a look at the following docs:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_40_webauthentication_dg.pdf

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_41_guest_services.pdf

Hope this helps!

Thank you for rating helpful posts!

minkumar · ‎06-20-2014

Thanks Neno!!

My next question is , I am doing EAP TLS authentication for wireless users, My customer wants that all the users should get customized java based web page, Before they authenticate using EAP-TLS.

Is it possible? I checked Central web authentication However, Not sure, if It takes customised java scripted web page

Minakshi

nspasov · ‎06-20-2014

Just to make sure I understand the requirements correctly: The customer wants the users to authenticate through a web portal and then perform EAP-TLS authentication? If so may I ask why? :)

minkumar · ‎06-24-2014

Hi Neno,

Yes, Kind of , They have a customized web page and they want users to see that customised web page first and then perform EAP-TLS.

- I also, want to know, Since customer wants to do eap tls authentication using online certificate store. Is this possible to have certificate based authentication for eap tls, without integrating it with AD.

Minakshi

nspasov · ‎06-25-2014

For your question #1: Someone else can chime in here but I think this is only possible via the BYOD provisioning flow with dual SSIDs. You would have the first SSID where the end user would connect and get redirected to the web portal. After login, the machine would go through an on-boarding process during which a certificate would be installed and the supplicant would be configured to perform EAP-TLS. After that the client would connect to the corporate SSID via EAP-TSL

For your question #2: You do not need AD integration to perform EAP-TLS authentication. AD integration comes handy when you want to also check for an AD user or machine group and/or when you want to use GPO to auto-enroll machine/user certs.

Thank you for rating helpful posts!

minkumar · ‎06-25-2014

Hi Neno,

Thanks. So If I have understood it correctly, without AD integration the authentication will work. However I would like to know, How ISE validates the identity of the user basis on the CN value.

For ex: If I select CN attribute and configure Authentication profile as external Identity store, How will the ISE validate the identity of the user and authenticate?

Can you explain the traffic flow?

for exam:

User--Wlc--ISE-- Certificate profile---(How Certificate profile validates the identity)

Question 2: Is there any way we can integrate online third party certificate server with ISE? through which it can validate the identity.

Cheers!!

Minakshi

nspasov · ‎06-25-2014

You remind me a lot of the days when I first was getting myself into ISE, 802.1x and certificates :) Back then I found the following link that greatly help me understand how EAP-TLS works. Some good examples are given as well:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

For your second question: There are several companies out there that provide managed PKI service. I have heard good things about the Symantec solution but have never tried it myself:

http://www.symantec.com/managed-pki-service

Thank you for rating helpful posts!

minkumar · ‎06-25-2014

Hey Neno,

I have worked in TAC for 5 years!! in AAA/ACS. Below is just one of my articles that were published by Cisco :

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html

I am x-tac engineer.

I would just like to know How ISE validates the identity of Username basis on CN.

I just wanted to know if there is any way we can integrate ISE with online certificate server, Coz I dont see any place in ISE where we can add URL or something for the external certificate server and define it under Identity store.

nspasov · ‎06-25-2014

Sorry Minakshi. I did not mean to offend you nor imply that you were not technically savvy. I already saw your Cisco e-mail address so I had no doubt about your skills. I just remembered the days when I was struggling with certificates and it made me smile because I hate it it :)

Give that link a try and see if it helps.

minkumar · ‎06-26-2014

Hey Neno!!

No worries!!! Could you kindly check if the ISE can integrate with online certificate server, Coz I really doubt if we can do this!!

Thanks a lot!!

Minakshi

nspasov · ‎06-26-2014

It is possible. I know a colleague of mine that have done it before with Symantec. I am sure there other providers out there as well.

Authentication of Guest users without certififcate