Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ISE - eap-peap and eap-tls

Hi,

Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?

I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.

If peap use this identity source, if tls use 'this certificate authentication profile'.

Thx

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Cisco ISE - eap-peap and eap-tls

Do not need to do this in policy

Can create an identity sequence and include within it both a certificate authentcation profil and an identity store

Administration > Identity Management > Identity Source Sequences

Can then select and define Certfiicate authentication profile for certificate based authentcation and an Authentication Search list

9 REPLIES
Gold

Cisco ISE - eap-peap and eap-tls

Do not need to do this in policy

Can create an identity sequence and include within it both a certificate authentcation profil and an identity store

Administration > Identity Management > Identity Source Sequences

Can then select and define Certfiicate authentication profile for certificate based authentcation and an Authentication Search list

New Member

Cisco ISE - eap-peap and eap-tls

Hi there,

I am also having a problem with Certificates.

Can I understand what certificates should go where?

currently, i have a signed certificate from my internal CA for the ISE. That has been imported and bound and works fine when navigating to HTTPS://

on the client, I have a signed certificate from the CA also, which has been imported and I can see it in the local certificate store under Personal folder.

Should I need any other certificates on the machine or the ISE to get EAP-TLS working?

I am trying to authenticate the machine and the user currently logged on. User's do NOT have a cert, only the machine does. Do the users need a cert for EAP TLS too?

thanks

Mario

Cisco ISE - eap-peap and eap-tls

Hi Mario.

Did you get this to work? I allso am trying to use machine cert to authenticate the device and username/password for the user.

New Member

Cisco ISE - eap-peap and eap-tls

Hi, yes I got this to work by using 2 authentication policies in the ISE. 1 policy was for the machine auth and allows Eap-tls ONLY and to use a cert profile as identity source. Then second policy was created for user auth and allows Eap- peap ONLY and use my AD as a identity source.

Try that... It's a while since I played with it now. But I can lab it up again if you ge stuck.

Thanks

Mario

Cisco ISE - eap-peap and eap-tls

Thanks I'll try it. At the moment I got PEAP only to work. Now I am setting up EAP-TLS, getting a cert error but I think I forgot to import a cert to ISE. My main concern at the moment is how to get the client machines to do both EAP-methods. My testmachine is Windows Vista and I can only get it to do machine or user authentication in the wireless profile, not both.

Cisco ISE - eap-peap and eap-tls

I got EAP-TLS working for machine cert. Now I just have to combind them

But I am not sure I got the concept right. I'll insert print screens below. I am not getting a hit on the authorization rule.

New Member

Cisco ISE - eap-peap and eap-tls

OK,

so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.

The authentication policy was allowing EAP-TLS & EAP-PEAP.

I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.

What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.

In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings

When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.

Hope that helps.

Mario

Cisco ISE - eap-peap and eap-tls

Yes that helped alot! Thank you. Will try to see if I can get it to work now.

New Member

Cisco ISE - eap-peap and eap-tls

sure, let me know how it goes and rate the post if you have time.

thanks!

Mario

2932
Views
5
Helpful
9
Replies
CreatePlease to create content