EAP-TLS ISE Configuration

Allowed Protocols

Create or modify an Allowed Protocols policy:

Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols
Create new or edit existing
Enable:
- Allow EAP-TLS
- EAP-TLS L-bit (for session resume)

Certificate Configuration

Import Trusted CA

Navigate to Administration > System > Certificates > Trusted Certificates
Click Import
Upload DOMUS-CA-CHAIN.pem (root + intermediate)
Enable for:
- Trust for client authentication
- Trust for certificate-based admin authentication

Configure EAP Certificate

Navigate to Administration > System > Certificates > System Certificates
Ensure ISE has certificate with:
- EKU: Server Authentication, Client Authentication
- Usage: EAP Authentication

Authentication Policy

Policy Set Condition

Network Access:EapAuthentication EQUALS EAP-TLS

Identity Source

Use certificate attributes for identity:

Subject - Common Name (CN)
Subject Alternative Name - DNS
Subject Alternative Name - Email

Authorization Policy

Condition Examples

Certificate-based conditions:

# Match certificate issuer
CERTIFICATE:Issuer CONTAINS "DOMUS-ISSUING-CA"

# Match SAN
CERTIFICATE:Subject Alternative Name - DNS CONTAINS "inside.domusdigitalis.dev"

# Match OU
CERTIFICATE:Subject - Organizational Unit EQUALS "Workstations"

AD Group Mapping

Combine certificate auth with AD group membership:

CERTIFICATE:Subject - Common Name EQUALS AD:ExternalGroups:DOMUS.inside.domusdigitalis.dev/GRP-Computers-Linux-Workstations

Verification

DataConnect Query

SELECT USERNAME, CALLING_STATION_ID, POLICY_SET_NAME, AUTHORIZATION_RULE
FROM RADIUS_AUTHENTICATIONS
WHERE AUTHENTICATION_PROTOCOL = 'EAP-TLS'
AND PASSED = 1
AND TIMESTAMP_TIMEZONE > SYSDATE - 1
ORDER BY TIMESTAMP_TIMEZONE DESC

Live Logs

Filter live logs for EAP-TLS:

Operations > RADIUS > Live Logs
Filter: Authentication Protocol = EAP-TLS