Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

My concern about ise authentication types

Hi,

Is it possible to bind a certificate to a computer, so that it should be identity of one device only like a mac address?

If it is not possible then can anyone tell wat is diff between a user or certificate based authentication except the encryption capability. Because some one can export his computer certificate and install it onto anyother computer and can then plug that pc into network even if that pc is not authorized. So where is the security?

My other point is  when a staff owns a sigle user-id but he can access using that single user id to access the network from multiple devices simulitanously, my question is why cisco ise allows this?  i must have had atleast  this capability not to allow multiple simulitanous connections using a single id

Any comments

  • AAA Identity and NAC
4 REPLIES
Cisco Employee

My concern about ise authentication types

Imran,

Two things,

One, MAC address can easily be spoofed, it's not really a proper means to uniquily idenity a machine.

Second, exporting certificate does is not a problem indeed, but certificate on itself only gived you information about public key, not the private. If you want to make full use of certificate you need to export also the private key.

I do not believe there is a feature in place to logins per-account (with exception of guest users).

However my information might not be up to date, feel free to verify with TAC folks or your SE.

M.

Re: My concern about ise authentication types

Hi,

If you are using AD GPO for certificate auto-enrollment, there is an option to NOT allow exportable private keys. If you think your template is incorrect then you will have to come up with a way to securely and safely issue the certificates that will not allow the private keys from being exported.

Thanks,

Tarik Admani

Edited- from now to NOT. sorry for the confusion.

Tarik Admani
*Please rate helpful posts*

Message was edited by: Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

My concern about ise authentication types

Thanks for your comments

New Member

My concern about ise authentication types

We do not recommend exporting the private key associated with a  certificate because its value may be exposed. If you must export a  private key, specify an encryption password for the private key. You  will need to specify this password while importing this certificate into  another Cisco ISE server to decrypt the private key.

Cisco ISE allows for a wide range of variables within authorization policies to ensure that only
authorized users can access the appropriate resources when they access the network. The initial release
of Cisco ISE supports only RADIUS-governed access to the internal network and its resources.

So, I hope both the points are restrictiable by ISE.

200
Views
7
Helpful
4
Replies
This widget could not be displayed.