Great tutorials. Should have 100x more views.

The client certs suppos to be pre-deployed (autoenrollment is one method) when the computer is built by IT admin or before ISE is rolled out into the network so by the time users try to access the network using EAP-TLS, they already have the cert to use. Determining domain PC is a part of machine authentication and MAR helps tying user and machine authentication together through the "wasmachineauthenticated" condition.

To do machine authentication with EAP-TLS you need 2 things. 1)Your Certificate Profile should have Binary Certificate Comparison Checked. 2)For Binary Cert Comp to work you need to have your certificate published to the AD. To do this duplicate the computer certificate template and select publish to active directry. What ISE(or ACS) does is that the thumbrint(SHA1 Hash) of your certificate is compared to the thumbprint published to the AD for binary certificate comparision.Without this the machine auth request is treated as a user auth request and so not added to MAR cache.

We ran into issue where ISE failed to verify previous machine authentication with native EAP-TLS and we supect that this could be a bug as it was also reported by our other members and that's why we left that part of the video out. Look at our PEAP videos SEC0043 to see how MAR supposes to work. For MAR to work, you need both User and Machine authentication set on the client settings. Please go to the SEC0045 video page on our website and look at the comments section for more detail

Basic User/Machine authentication with EAP-TLS works with Base License. No Advance License required.

Yes.. The concept is the same. Please check out our video SEC0046 - CiscoISE 1.1 Wireless 802.1X and Machine Authentication with EAP-TLS

When ISE performs user cert authentication, it does not involve AD. It only checks with AD for the athorization so I suspect this is why identity store is blank. CN name on the user cert can be anything if you just do authentication. If you also need authorization to work, CN has to be the same as AD username otherwise ISE will not be able to look up the user against AD to fetch the user group info. Only the CN name will show up on the report so that's all you have to query against.

ISE is smart enough to only use certificate profile with EAP-TLS and username/password on AD or local for PEAP. It doesn't really check them all every time. They were added under the same Ident source seq to save the config. You can separate them if you like and still getting the same result.

Actually if you think about this, user AD login has nothing to do with 802.1x authentication. As long as the machine authen passed and you allow the computer to communicate with AD, the user should still be able log into AD, even though that could be his first time, create local user profile, and receive user cert pushed via GPO. Obviously, he will have no other network access at this point but at least he would have the user cert, and can just re-login to get full network access.

The WasMachineAuth attribute is now working with ISE 1.2 w/patch#1. I use it in the user authorization condition and it was able to verify the previous machine auth had succeeded.

When u created the identity source seq. u check boxed & selected the cert profile LM_CERT_CN, then added AD1 & then Internal Users. Does this imply that the order of look up is always certs 1st before AD1 & Internal Users? Also, at the bottom of that page you have “Do not access other stores in the sequence and set the “AuthenticationStatus” attribute to “ProcessError” checked? If the order is certs 1st, won't that mean, AD1 or Internal Users will never be used? Applies to access, not Not Found?

Did I miss the part on Machine Access Restriction (MAR) to ensure that a user can access the network only from a domain computer? I will assume that the MAR's part would had demo'd what would had happened if you used the non-domain LM-WIN7-NONCorp computer. How's it done? What I am most curious about is your 802.1x config on your Win7 client, the authentication tab. Did you select "User or computer authentication", "computer authentication" or "user authentication"? These 3 options are confusing

I've noticed that when you drill down on both the machine and user auth entries that there were no Identity Store and Active Directory Domain info? Also, the user name Admin1 seems to be the CN name in the cert. But, what if I wanted to do a report on all the domain users using the AD domain username that have attempted or successfully authenticated? Do I have to assume that the CN name must be a domain user, but can i query on reports using CN names? Displaying the domain name would be ideal.

Okay, so when using EAP-TLS the user cert must be pre-deployed onto the client machine by IT before attempting to logon using 802.1x. That means in general a domain computer in an enterprise would only be usable by the one user that the PC was assigned to by IT. Any other user (say user2) attempting to login using that computer would fail unless they have IT push down a user2 cert? Btw, i'm having the same trouble with the WasMachineAuth too. I had to remove the Domain User in conditions to work

Yeah, there seems to be issue between EAP-TLS and MAR. Thanks for confirmation.

Btw, this is great stuff. I was really surprised that you were able to login successfully as Employee1 as well. Initially you've demo'd that only the Admin1 user cert was pushed down to the client machine. So, does the Employee1 user cert get downloaded upon logon due to autoenrollment configured on the certificate template on the CA? Also, I'm really curious how you determine if a client was a domain PC or not, thru the authentic/author policy configs or this MAR feature?

Is it possible to check if the PC is in the domain using Wireless ?