topic ISE Deployment in Network Access Control

ISE Deployment

henokk601 — Wed, 25 Sep 2019 07:22:31 GMT

For my ISE deployment, i want to use certificate-based authentication for all my Windows machines By default, certificate-based authentication does not check the certificate against Active Directory, or requires credentials from the user. This essentially means that no groups are returned as part of the authentication request. what can i do in order the user be authorized based on Active Directory group membership?

Re: ISE Deployment

Arne Bier — Fri, 27 Sep 2019 05:18:55 GMT

Hi @henokk601

In EAP-TLS authentication you create a CAP (Certificate Authentication Profile) and this determines what ISE will do with the client cert that is presented by the supplicant (Windows PS in your case).

You can do things like extract the Subject CN (Common Name) from the client cert and then have it looked up in AD to see whether that AD Account is active/exists etc. Furthermore, when you do that, you can then use the AD Groups and Attributes returned from the AD lookup in your ISE Authorization Profiles to check whether that AD Account is a member of xyz Security Group or whatever else you want to check.

Hope that helps

Re: ISE Deployment

Mike.Cifelli — Fri, 27 Sep 2019 16:19:32 GMT

It sounds like you are you trying to authenticate just your computers via eap-tls and utilize AD sec groups to push Authz policy. However, if you intend on incorporating auth for both users and computers you will need to focus efforts on using NAM for eap-chaining. IMO using native supplicant is typically easier to use, and manage. If you are simply doing computer auth only focus on what @Arne Bier mentioned as he shared valuable comments. Also, keep in mind that you can deploy native supplicant configuration via GPOs. Good luck!