Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
212
Views
0
Helpful
6
Replies

ISE BYOD machine authentication 3.1.0.x

Go to solution
jardelalmeida
Level 1
Level 1

‎04-27-2024 05:08 AM

Hello Guys,

I need help to validate whether my understanding is correct.
I'm new to ISE, I know some rules but I can't progress with my client's problem.
1 - He has an AD, but there is no GPO policy for Wireless.
2 - There is a rule in ISe that first validates the machine, then the user, and if both match, it will be released to the corporate network.
If it doesn't match on the machine (client's domain), it receives a different vlan, and falls under the Byod rule.

jardelalmeida_0-1714218563836.png

To get around it without AD support, we tried to change the rules for TEAP, however, as there are many machines, we would have to do this via GPO, and the experts were unable to do so.

Doubts:
1 - Is there any way to validate the user and machine without a specific GPO for Wireless (802.1x)?
2 - If not, the team should create a GPO that installs the certificate on the machine, right? Then I would have to change my rule to TLS, is that right? But could you share some example/video on how I should configure this rule? I think that to authenticate the visitor's machine (if it doesn't have the certificate), I don't know if it would be the same rule, for example:
Rule 1:
AND: EAP-TLS

AND: AD
AND: Cerificate Subject - Common name Starts_With "string x, y, or z"
Result => VLAN Permit 56

And if you don't fall under this rule
Rule 2:
AND: Radius Called Stations ID (SSID)
AND:AD External to the client (domain user)
Result => Vlan Permit 57 (Byod Rule - User's own machine)

That makes sense?

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP
In response to jardelalmeida

‎04-29-2024 06:48 PM

TLS is certificate auth. If the device is a personal device and not enrolled in AD, it won’t get a certificate and will not be able to use EAP-TLS

View solution in original post

0 Helpful
6 Replies 6

Go to solution
ahollifield
VIP
VIP

‎04-29-2024 05:55 AM

1. You can manually configure all supplicants.  

Sounds like an MDM would be a great use-case here.  How are the machines managed?  How are they secured?  What is the use-case for allowing unmanaged machines onto the protected network?  

A GPO (for Windows domain-joined devices) or an MDM would be the best scenario here.

0 Helpful

Go to solution
jardelalmeida
Level 1
Level 1
In response to ahollifield

‎04-29-2024 09:44 AM

Hi @ahollifield 

I Hope you are well.

Thank you for the answer.

That's the issue, today there is no GPO for Wireless. No GPO, no machine certificate and no rule that reads the certificate parameter.
TEAP worked, however, the customer support team was unable to enable TEAP in a new GPO.
Regarding a Wireless GPO (TEAP), and with a certificate, would only configuring this TLS rule with a certificate be functional? In other words, TLS machines with the client's certificate matching the first rule, and those that are not from collaborators (outside the domain), would only validate the WiFi user when connecting to the network, would it simply work like that?

 

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to jardelalmeida

‎04-29-2024 04:11 PM

What issue did they have with GPO?  TEAP configuration is supported in both InTune and GPO.

Yes it would, as long as they are issuing both user and machine certificates?  If there is only a single certificate on the machine then there would be no value of using TEAP, just use EAP-TLS.

How would the "collaborators" receive a certificate though?  Are you proposing using PEAP for those users?  If so, PEAP is broken from an encryption standpoint.  AD credentials should not be entered into unmanaged machines.

0 Helpful

Go to solution
jardelalmeida
Level 1
Level 1
In response to ahollifield

‎04-29-2024 04:17 PM

Hello @ahollifield 

They informed that the TEAP option did not appear in the configuration, I shared some support links, but they gave up and informed that they will create a policy for TLS.

As there is no certificate, nor a Wireless policy in AD (GPO), PEAP is the normal authentication, which is why sometimes it works, and sometimes it doesn't.

I think that with the Wireless GPO and the adjustments to the rule to validate the certificate, I think it will work fine.

I just don't know if the certificate doesn't match and it's a personal machine, if the authentication will work? I need to study a little more what the new rule will be like with TLS + Certificate.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to jardelalmeida

‎04-29-2024 06:48 PM

TLS is certificate auth. If the device is a personal device and not enrolled in AD, it won’t get a certificate and will not be able to use EAP-TLS

0 Helpful

Go to solution
jardelalmeida
Level 1
Level 1
In response to ahollifield

‎04-30-2024 01:47 AM

OK! I understand, so I need to think of a rule/network for third-party personal machines.
The visitor has Guest, which is configured as MAB, and third parties, who are registered in the user domain, I need to think of a rule for them. About how they will be able to access my client's environment.

Thank you!

0 Helpful
Customers Also Viewed These Support Documents