ISE 2.3 Wired 802.1x with AD and or Certificate

roger perkin · ‎02-15-2018

Can anyone provide me a sample 2.3 policy for a wired 802.1x policy.

First I would like to allow access based on the fact the computer is a domain joined machine.

Secondly i would like to allow access based on prescence of a certificate.

Question:

Am I able to have separate policies on different devices?

i.e start to deploy with AD domain joined machine status and then gradually migrate to certificate based auth.

Or do I need to decide on one or the other?

Thanks

Rob Ingram · ‎02-15-2018

Hi, I don't have an example to hand, but you are able to do exactly what you have asked. You can create AuthZ rules to match specifically on the authentication method used. I assume when you say domain computer you mean PEAP/MSCHAPv2, that is the most common authentication method.

For MSCHAPv2 you can create a AuthZ rule to match on "NetworkAccess : EAPAuthentication Equals EAP-MSCHAPv2".

For certificates you'd create another rule and use the condition "NetworkAccess : EAPAuthentication Equals EAP-TLS".

ISE will go through the rules top down until a match is found, once matched it will not process the rest. So in this example if you've deployed certificates and the client supplicant is configured to use EAP-TLS it will not match on the EAP-MSCHAPv2 rule and progress to the next, hopefully matching the EAP-TLS rule.

You can combine other conditions, such as AD domain group membership and use MSCHAPv2 AND Domain Computers etc.

HTH