Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

EAP-TLS with ISE

I have been reading the Cisco ISE for BYOD and trying to create an Authentication Policy for EAP-TLS. When I build the new policy and add a new condition, then go to Network Access, EAPAuthentication is not an option. So I went to policy element and created a new Authentication, Compond condition and added it to the library. When I try to add it to my Authentication Policy it doesnt allow me to chose it and says only relevant conditions are selectable. Am I missing a step somewhere?

Any help is greatly appreciated and thanks in advance!

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Hi,If you want to use a

Hi,

If you want to use a different identity store for BYOD devices, all you have to do is edit the default dot1x rule, and add a condition above you default condition/identity store.

Add an attribute value of Certificate - SAN/Issuer, etc, depending on what's your differentiator between BYOD devices and corporate asset.

 

Please see attached printscreen.

 

 

3 REPLIES
New Member

Hi,If you want to use a

Hi,

If you want to use a different identity store for BYOD devices, all you have to do is edit the default dot1x rule, and add a condition above you default condition/identity store.

Add an attribute value of Certificate - SAN/Issuer, etc, depending on what's your differentiator between BYOD devices and corporate asset.

 

Please see attached printscreen.

 

 

New Member

Thanks that's what I needed

Thanks that's what I needed thanks. I was closing out of my current policy and inserting a new above the default. Now I need to get my certs working with my phone and ISE. Currently, we are using packetfence and Mobil iron which issues the certs during registration - still working with security team to see how this is done. When I look at the certs on my phone I can see the root certs, but when I create a SSID and chose a cert the root isnt an option. Any ideas how I can connect using a new ssid with the root certs on my phone?

New Member

Hi Bret,EAP-TLS does not mean

Hi Bret,

EAP-TLS does not mean that you're using your root CA certificates to connect to the network. You're using instead a machine or user certificate signed by your CA.

The CA's certificate provides the means to check one's presented certificate. Is the same thing with your ID. Somebody did some checks on you (the authorities) and guarantees that you are who you claim to be.

239
Views
0
Helpful
3
Replies
CreatePlease to create content