06-19-2014 01:45 AM - edited 03-10-2019 09:48 PM
Hi Team,
I have employess doing certificate based authentication to connect to the network. Hwever I have few users which donot have certificates at all and they want to have internet access only.
I want to understand what all are my options here to make sure that guest users skip there authentication and get only internet vlan and connect.
Is it possible to have a rule in ISE stating skip the authentication and push only internet VLAN through AUthorization profile.?
Or of there is any other alternate or way available.
Minakshi
Solved! Go to Solution.
06-20-2014 12:17 AM
Hi Minakshi,
There are several different ways you can do this. The simplest and probably the easiest way to do this via the Guest Portal that is already included in ISE. If this is for wireless, you would:
1. Create a separate SSID and configure it for CWA (Central Web Authentication). You can set the portal to look to AD for let's say allow all "Domain Users" to authenticate
2. You can restrict the actual access either by ACLs configured on the WLC (WLCs do not support dACLs) or dynamic VLAN(s)
If this is for wired, the setup would be similar. You would:
1. Any sessions that fail 802.1x can be redirected to the guest portal. The gust portal can again be set to look to AD for authentications
2. Access can be restricted via DACLs (configured on ISE) or via dynamic VLAN(s)
Take a look at the following docs:
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_40_webauthentication_dg.pdf
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_41_guest_services.pdf
Hope this helps!
Thank you for rating helpful posts!
06-25-2014 10:30 PM
For your question #1: Someone else can chime in here but I think this is only possible via the BYOD provisioning flow with dual SSIDs. You would have the first SSID where the end user would connect and get redirected to the web portal. After login, the machine would go through an on-boarding process during which a certificate would be installed and the supplicant would be configured to perform EAP-TLS. After that the client would connect to the corporate SSID via EAP-TSL
For your question #2: You do not need AD integration to perform EAP-TLS authentication. AD integration comes handy when you want to also check for an AD user or machine group and/or when you want to use GPO to auto-enroll machine/user certs.
Thank you for rating helpful posts!
06-20-2014 12:17 AM
Hi Minakshi,
There are several different ways you can do this. The simplest and probably the easiest way to do this via the Guest Portal that is already included in ISE. If this is for wireless, you would:
1. Create a separate SSID and configure it for CWA (Central Web Authentication). You can set the portal to look to AD for let's say allow all "Domain Users" to authenticate
2. You can restrict the actual access either by ACLs configured on the WLC (WLCs do not support dACLs) or dynamic VLAN(s)
If this is for wired, the setup would be similar. You would:
1. Any sessions that fail 802.1x can be redirected to the guest portal. The gust portal can again be set to look to AD for authentications
2. Access can be restricted via DACLs (configured on ISE) or via dynamic VLAN(s)
Take a look at the following docs:
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_40_webauthentication_dg.pdf
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_41_guest_services.pdf
Hope this helps!
Thank you for rating helpful posts!
06-20-2014 01:58 AM
Thanks Neno!!
My next question is , I am doing EAP TLS authentication for wireless users, My customer wants that all the users should get customized java based web page, Before they authenticate using EAP-TLS.
Is it possible? I checked Central web authentication However, Not sure, if It takes customised java scripted web page
Minakshi
06-20-2014 10:32 AM
Just to make sure I understand the requirements correctly: The customer wants the users to authenticate through a web portal and then perform EAP-TLS authentication? If so may I ask why? :)
06-24-2014 10:12 PM
Hi Neno,
Yes, Kind of , They have a customized web page and they want users to see that customised web page first and then perform EAP-TLS.
- I also, want to know, Since customer wants to do eap tls authentication using online certificate store. Is this possible to have certificate based authentication for eap tls, without integrating it with AD.
Minakshi
06-25-2014 10:30 PM
For your question #1: Someone else can chime in here but I think this is only possible via the BYOD provisioning flow with dual SSIDs. You would have the first SSID where the end user would connect and get redirected to the web portal. After login, the machine would go through an on-boarding process during which a certificate would be installed and the supplicant would be configured to perform EAP-TLS. After that the client would connect to the corporate SSID via EAP-TSL
For your question #2: You do not need AD integration to perform EAP-TLS authentication. AD integration comes handy when you want to also check for an AD user or machine group and/or when you want to use GPO to auto-enroll machine/user certs.
Thank you for rating helpful posts!
06-25-2014 10:45 PM
Hi Neno,
Thanks. So If I have understood it correctly, without AD integration the authentication will work. However I would like to know, How ISE validates the identity of the user basis on the CN value.
For ex: If I select CN attribute and configure Authentication profile as external Identity store, How will the ISE validate the identity of the user and authenticate?
Can you explain the traffic flow?
for exam:
User--Wlc--ISE-- Certificate profile---(How Certificate profile validates the identity)
Question 2: Is there any way we can integrate online third party certificate server with ISE? through which it can validate the identity.
Cheers!!
Minakshi
06-25-2014 11:24 PM
You remind me a lot of the days when I first was getting myself into ISE, 802.1x and certificates :) Back then I found the following link that greatly help me understand how EAP-TLS works. Some good examples are given as well:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml
For your second question: There are several companies out there that provide managed PKI service. I have heard good things about the Symantec solution but have never tried it myself:
http://www.symantec.com/managed-pki-service
Thank you for rating helpful posts!
06-25-2014 11:25 PM
Hey Neno,
I have worked in TAC for 5 years!! in AAA/ACS. Below is just one of my articles that were published by Cisco :
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
I am x-tac engineer.
I would just like to know How ISE validates the identity of Username basis on CN.
I just wanted to know if there is any way we can integrate ISE with online certificate server, Coz I dont see any place in ISE where we can add URL or something for the external certificate server and define it under Identity store.
06-25-2014 11:37 PM
Sorry Minakshi. I did not mean to offend you nor imply that you were not technically savvy. I already saw your Cisco e-mail address so I had no doubt about your skills. I just remembered the days when I was struggling with certificates and it made me smile because I hate it it :)
Give that link a try and see if it helps.
06-26-2014 12:01 AM
Hey Neno!!
No worries!!! Could you kindly check if the ISE can integrate with online certificate server, Coz I really doubt if we can do this!!
Thanks a lot!!
Minakshi
06-26-2014 06:58 PM
It is possible. I know a colleague of mine that have done it before with Symantec. I am sure there other providers out there as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide