User and Machine Certificate Authentication using EAP-TLS

on Wednesday, November 21 21 November , in , 2 Comments


User and Machine Certificate Configuration in Cisco ISE:

Step1:
Create Certificate Authentication profile:
Under Identity Store use AD1 (Active directory) or Not Applicable
-Basic certificate checking does not require an Identity store
-When an AD1 is selected all subject names in a certificate can be used to lookup a user.

Use Identity From:
Certificate Attribute: select Common Name (CN)
-This Username will be used for AD lookup and also in ISE Logs.

Any other subject or Alternative Name Attribute:
-All other subject names and alternative names in a certificate will be tried when looking up a user.
The Active directory implicit UPN(User principle name) will be used as username for logs.
Note:it is only available if AD1 is selected as Identity store.


Match Client Certificate Against Certificate in Identity Store:
-For Binary Comparison of certificates (AD or LDAP) must be selected.
-If AD1 is selected then we can also use only to resolve ambiguity during lookup.



Machine Certificate Profile:
User Certificate Profile:

Step2:- Machine Certificate Policy Sets
Create Authentication and Authorization rules under > policy sets as shown below:
Create a condition If it matches Radius:User-Name STARTS WITH host/

Under Authentication Policy use the Certificate authentication Profile which was created in Step1 Machine Certificate Profile
In Authorization policy we are permitting all other traffic.

 Step3: User certificate Policy Sets
Create Authentication and Authorization rules under > policy sets as shown below:
Create a condition If it matches All WLC's OR Radius:Called-Station-ID ENDS WITH <SSID NAME>

Under Authentication Policy use the Certificate authentication Profile which was created in Step1
User Certificate Profile.
In Authorization policy we are permitting all other traffic.

 Step4:-
Under Administration>System>Certificates>system Certificates:
Make sure you have a certificate issued by any of your Internal Root CA, and select "EAP Authentication"
This Root CA has to be present in All Clients PC's>Trusted Root CA's.

Step5:-
Under Administration>System>Certificates>Trusted Certificates:
Import All Root and intermediate certificates over here and check following options
"Trust for client authentication and Syslog"
"Trust for authentication of Cisco Services"

Step6:-
PC wireless NIC card settings:







                                         For User Certificate use Below Settings:-




For Machine Certificate use Below Settings:

































Automated SMS for Guest Implementation:Self Registration using Cisco ISE-2.2 :-

on Friday, November 16 16 November , in , 3 Comments

Automated SMS for Guest Implementation:Self Registration using Cisco ISE-2.2 :- 

 For more details about the guest configuration please check old post  Guest Implementation

 This document explains automated SMS Gateway service for self-registration guest users.
Username and password will be directly sent to users Phone number.

 I'm Using Telenor as SMS gateway Provider.

 Step1:-


Here Telenor service provider is using port 44343, Make sure to allow port 44343 in firewall to external.

 Step2:-
Import all Root Certificates for sms-pro-net into ISE server >trusted Certificates.

 Step3:-
Under guest portal settings, Under self registration page settings check send credentials via sms.



TESTING:-


Subscribe to: Posts (Atom)
Powered by Blogger