ISE - Certificate Authentication Profile - How this works?

muthumohan · ‎02-09-2014

Hi All,

In ISE, the Certificate Authentication Profile (CAP) tells what field from the certificate to be used as username. I got this. But after getting the username from the cert, how does ISE authenticate the user? How do I specify, which identity source to use to verify this username? Also, where is the password for the user to authenticate?

I know binary comparision is one way to verify the user, but what if I have not selected this option?

Can't ISE verify the ceritificate by using traditional methods (using the CA's cert to verify the user cert)? Why is ISE not doing this? Or does ISE do this? Even if ISE verifies the cert, the cert might be a valid cert, but the user may not be a valid used to access the network. How does ISE identify this?

Can anyone help me understand how the CAP is used to authenticate the user in EAP-TLS?

Appreciate any help.

Regards,

Mohan

Aastha Chaudhary · ‎02-09-2014

Mohan,

After creating a Certificate Authentication Profile, you need to create an Identity Source Sequence where you refrence the CAP, and specify AD as an Identity Store. This Identity Source Sequence is then later used in an Authentication Policy. Please refer to the steps in the following link for full configuration :

http://www.cisco.com/en/US/docs/solutions/CVD/Aug2013/CVD-BYOD-IdentityandAuthenticationDesignGuide-AUG13.pdf

Go to the Section "Enabling 802.1X Authentication" on Page 48.

Thanks,

Aastha

*Please rate helpful posts*

George Stefanick · ‎02-09-2014

Aastha,

+5

Are there more links like these on the subjects of ise ? Its very confusing. You have trustsec, config guides, etc .. Now the CVDs ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Aastha Chaudhary · ‎02-09-2014

Thanks George. I happened to stumble across this link while working with a customer, and found it very useful. Trustsec design guides are quite detailed and helpful too. If I find any more useful links, I will post on this forum.

Thanks,

Aastha

*Please rate helpful posts*

George Stefanick · ‎02-09-2014

Please do ! Thanks

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

darren-carr · ‎02-05-2017

Hi,

Appreciate this is an old thread, but I would like to get some clarity on a query I have regarding the CAP.

Referring to the guide, specifically pages 48/49, if I do not enable the 'binary comparison, nor enable the option to 'retrieve additional attributes from LDAP' would the ACS still attempt to lookup the user based on the X509 principal user attribute defined in the profile, or does it simply authenticate the user based on it being able to validate the client certificate?

I believe it is the latter of the two, but want to confirm this.

I tried testing this by removing a machine from the domain and it was still able to connect to the network.

Thanks