View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0274 - ISE 2.2 Wireless 802.1X with EAP-TLS and PEAP (Part 1)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0274 - Video Download $11.00
Purchase SEC0274 - Video Download $11.00
The video walks you through configuration of wireless 802.1X using EAP-TLS and PEAP on Cisco ISE 2.2. We will configure authentication and authorization policies to support both user and machine authentications and enforce Machine Access Restriction (MAR) using Windows Native Supplicant. Named ACL will be used to restrict network access. We will perform testing on both domain, and non-domain devices and observe authentication results.
 
Part 1 of this video covers ISE authentication and authorization policies configuration.
 
Topic:
  • Network Device and Group
  • Certificate Profile (Common Name)
  • Active Directory User Group
  • Identity Source Sequence 
  • User and Machine Authentication with EAP-TLS and PEAP
  • Windows 802.1X Native Supplicant
  • Policy Element Result
    • Authorization (Named ACL)
    • Authorization (Authorization Profile)
    • Authentication Policy
    • Authorization Policy
  • Policy Set
    • Authentication Policy
    • Authorization Policy

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

7 comments

Hello Metha. I began deploying EAP-TLS with a test group with GPOs and internal CA and all the involved ACLs. Everything was going well until we had to reimage a device and redeploy it to a user. Since that user hadn't logged in before, there was no user certificate, and therefore the user couldn't connect to the wireless network. I haven't been able to get around that issue. Is there any way around this? EAP-TLS is something I would like to keep using and the native Windows supplicant is something we must use. Thank you.

A new computer need to at least connect to the network once to get the cert through GPO. This is usually happen when desktop team prep the computer over wire in a secure area.

Hello,

Is this the only configuration that is needed for WLC to communicate with ISE ?

I mean i do not see where the initial configuration for WLC was done ?

Thanks

We assume the WLAN was already configured. What is shown here are the config to work with ISE.

A computer has already joined to AD and users who logged to this PC before enabling EAP authentication were able to login and everything works just fine but the problem is if i create a new user on the AD that new user cant logged in and authentication fails.
Is there anyway to fix this?

Check and make sure the computer can connect to AD at Windows login. Enable computer authentication if not already and allow appropriate access.

i dont know where i am wrong cause now new user (a user login to this PC for the first time) can login but user certificate is not imported/downloaded from AD this is because user authentication fails due to lack of user certificate