×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISE,AD with TLS

Unanswered Question
May 13th, 2012
User Badges:
  • Bronze, 100 points or more

Choose Administration > Identity Management > External Identity Sources

In the above option, there is something called Binary Certificate Comparison.. Below is the explanation for the same in the User Guide


Perform Binary Certificate Comparison with Certificate Retrieved from LDAP or Active

Directory—Check this check box if you want to validate certificate information for authentication

against a selected LDAP or Active Directory identity source.

If you check this check box, you must choose the LDAP or Active Directory identity source from

the available list.



Can someone tell me how this will impact the TLS configuration..


Regards

NikhiL

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Amjad Abdullah Mon, 05/14/2012 - 00:40
User Badges:
  • Red, 2250 points or more

NikhiL:
I don't have ISE but I knwo a little about binary comparison which should be the same concept with all products.


When EAP-TLS happens, the WLC (assuming using unified wireless infrastructure) will try to authenticate the user. Having EAP-TLS in place, the client will send a certificate as an identity.

For the server to verify if the trusted certificate provided belongs to a wifi user that is authorized to connect to the wireless it needs to verify that the user that provided the certificate is authorized for wifi access.

It has to compare the username in the certificate with the username in its DB to make sure that the user is authorized for wireless. (you can choose some attributes to compare the username like  SAN, CN, subject...etc).

If the username provided is found in AAA server and it is authorized for wifi it will allow it to connect.


If you are using external DB to auth users and not using the internal DB, i.e. usernames are not saved in AAA server and AAA servers is a proxy to auth from external DB (LDAP or AD for example) then you have an extra option.

Sometimes the external DB itself has the same certificate for the client saved. in this case when AAA server tries to auth the username via the external DB. If you enable binary comparison, besides the above username test with the certificate username check, the AAA server (ISE in your case) will compare the certificate from external DB to the certificate provided by the client bit by bit and make sure both certificates are identical.


I hope this makes it clear to. I think you can answer "how this affects EAP-TLS" now. It should not affect it if this is being used correctly and things should be fine.


Hope this is clear and useful.


Amjad

nikhilcherian Mon, 05/14/2012 - 03:23
User Badges:
  • Bronze, 100 points or more

Hi Amjad,


Thanks for the explanation.


For me, when I enable the binary comparison the cert auth fails, but when I disable this the auth passes.


I revoked one of the certificates in the Cert server, but that client also is getting authenticated.


Regards

NikhiL

Amjad Abdullah Mon, 05/14/2012 - 03:33
User Badges:
  • Red, 2250 points or more

Hi Nickhil,

For binary comparison to work the external DB should send same cert to AAA server. If it does not, or if the cert is not duplicate of users cert then auth will fail. Are you using external DB for authentication?


Make sure about the client's certificate that is being sent from the client and if it is the same cert that you have revoked. The client could possibly have another certificate that is being used for authentication. In AAA server check logs that would be good to know why the specific clietn is getting authenticated while it is not.


HTH


Amjad

nikhilcherian Mon, 05/14/2012 - 04:45
User Badges:
  • Bronze, 100 points or more

For binary comparison to work the external DB should send same cert to AAA server. If it does not, or if the cert is not duplicate of users cert then auth will fail. Are you using external DB for authentication?


          I am using AD for validation, my question over here is how will the AD come to know about a ceritficate is valid or not.


Make sure about the client's certificate that is being sent from the client and if it is the same cert that you have revoked. The client could possibly have another certificate that is being used for authentication. In AAA server check logs that would be good to know why the specific clietn is getting authenticated while it is not.


The client is having only a single certificate and I can see in AAA logs, the security used is EAP-TLS


Thanks

NikhiL

maldehne Mon, 05/14/2012 - 05:21
User Badges:
  • Cisco Employee,

Correct me if i am wrong what you have is EAP TLS working even with clients representing revoked certificates.


You have to confiure certificate revocation lists in order to allow the AAA server to download the serial numbers of revoked certificates and compare them with those presented by the client.


For more information I would recommend you to have a new thread on ISE forum.


Regards


--------------------------------------------------------

Please make sure to rate correct answers

nikhilcherian Mon, 05/14/2012 - 06:24
User Badges:
  • Bronze, 100 points or more

Which option will allow the AAA server to download the serial number of the revoked certificates

maldehne Mon, 05/14/2012 - 06:31
User Badges:
  • Cisco Employee,

You should configure CRL on your ISE .


For more information about ISE you should open new thread on ISE forum group.


I hope the info provided has been informative to you

-----------------------------------------------------------------------

Please don't forget to rate good answers


cheers

nikhilcherian Tue, 05/15/2012 - 12:33
User Badges:
  • Bronze, 100 points or more

Thanks for the suggestions, I tried this one.But couldn't succeed in creating in the CRL list.


Need to find out some server team people for the same


Regards

NikhiL

Actions

This Discussion

Related Content