Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ISE,AD with TLS

Choose Administration > Identity Management > External Identity Sources

In the above option, there is something called Binary Certificate Comparison.. Below is the explanation for the same in the User Guide

Perform Binary Certificate Comparison with Certificate Retrieved from LDAP or Active

Directory—Check this check box if you want to validate certificate information for authentication

against a selected LDAP or Active Directory identity source.

If you check this check box, you must choose the LDAP or Active Directory identity source from

the available list.

Can someone tell me how this will impact the TLS configuration..

Regards

NikhiL

Everyone's tags (1)
8 REPLIES

ISE,AD with TLS

NikhiL:
I don't have ISE but I knwo a little about binary comparison which should be the same concept with all products.

When EAP-TLS happens, the WLC (assuming using unified wireless infrastructure) will try to authenticate the user. Having EAP-TLS in place, the client will send a certificate as an identity.

For the server to verify if the trusted certificate provided belongs to a wifi user that is authorized to connect to the wireless it needs to verify that the user that provided the certificate is authorized for wifi access.

It has to compare the username in the certificate with the username in its DB to make sure that the user is authorized for wireless. (you can choose some attributes to compare the username like  SAN, CN, subject...etc).

If the username provided is found in AAA server and it is authorized for wifi it will allow it to connect.

If you are using external DB to auth users and not using the internal DB, i.e. usernames are not saved in AAA server and AAA servers is a proxy to auth from external DB (LDAP or AD for example) then you have an extra option.

Sometimes the external DB itself has the same certificate for the client saved. in this case when AAA server tries to auth the username via the external DB. If you enable binary comparison, besides the above username test with the certificate username check, the AAA server (ISE in your case) will compare the certificate from external DB to the certificate provided by the client bit by bit and make sure both certificates are identical.

I hope this makes it clear to. I think you can answer "how this affects EAP-TLS" now. It should not affect it if this is being used correctly and things should be fine.

Hope this is clear and useful.

Amjad

Rating useful replies is more useful than saying "Thank you"

ISE,AD with TLS

Hi Amjad,

Thanks for the explanation.

For me, when I enable the binary comparison the cert auth fails, but when I disable this the auth passes.

I revoked one of the certificates in the Cert server, but that client also is getting authenticated.

Regards

NikhiL

ISE,AD with TLS

Hi Nickhil,

For binary comparison to work the external DB should send same cert to AAA server. If it does not, or if the cert is not duplicate of users cert then auth will fail. Are you using external DB for authentication?

Make sure about the client's certificate that is being sent from the client and if it is the same cert that you have revoked. The client could possibly have another certificate that is being used for authentication. In AAA server check logs that would be good to know why the specific clietn is getting authenticated while it is not.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

ISE,AD with TLS

For binary comparison to work the external DB should send same cert to AAA server. If it does not, or if the cert is not duplicate of users cert then auth will fail. Are you using external DB for authentication?

          I am using AD for validation, my question over here is how will the AD come to know about a ceritficate is valid or not.

Make sure about the client's certificate that is being sent from the client and if it is the same cert that you have revoked. The client could possibly have another certificate that is being used for authentication. In AAA server check logs that would be good to know why the specific clietn is getting authenticated while it is not.

The client is having only a single certificate and I can see in AAA logs, the security used is EAP-TLS

Thanks

NikhiL

Cisco Employee

ISE,AD with TLS

Correct me if i am wrong what you have is EAP TLS working even with clients representing revoked certificates.

You have to confiure certificate revocation lists in order to allow the AAA server to download the serial numbers of revoked certificates and compare them with those presented by the client.

For more information I would recommend you to have a new thread on ISE forum.

Regards

--------------------------------------------------------

Please make sure to rate correct answers

ISE,AD with TLS

Which option will allow the AAA server to download the serial number of the revoked certificates

Cisco Employee

ISE,AD with TLS

You should configure CRL on your ISE .

For more information about ISE you should open new thread on ISE forum group.

I hope the info provided has been informative to you

-----------------------------------------------------------------------

Please don't forget to rate good answers

cheers

ISE,AD with TLS

Thanks for the suggestions, I tried this one.But couldn't succeed in creating in the CRL list.

Need to find out some server team people for the same

Regards

NikhiL

1428
Views
0
Helpful
8
Replies
CreatePlease to create content