topic Re: Certificate Check Workflow in ISE in Network Access Control

Certificate Check Workflow in ISE

grleeson — Thu, 26 Apr 2018 14:37:40 GMT

Hello,

I have a question regarding what exactly ISE checks against when doing certificate authentication. In particular, does ISE check key usage on trusted certificates. Does anyone have a process flow, e.g., first check is to verify the cert was signed by a trusted authority, second check is that it is valid after this date and before that date, third check, etc... then check number X is that the client certificate has Client Authentication key usage, and the trusted authority has Cert Signing key usage.

Thanks for any help on this!

Greg

Re: Certificate Check Workflow in ISE

hslai — Thu, 26 Apr 2018 16:58:07 GMT

The steps in ISE authentication detailed reports should tell how endpoints are authenticated and authorized.

For example, the following go through the TLS exchanges and TLS handshake won't succeed unless ISE EAP server trusting the client certificates' root CA certificate.


	12501	Extracted EAP-Response/NAK requesting to use EAP-TLS instead
	12500	Prepared EAP-Request proposing EAP-TLS with challenge
	11006	Returned RADIUS Access-Challenge
	11001	Received RADIUS Access-Request
	11018	RADIUS is re-using an existing session
	12502	Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
	12800	Extracted first TLS record; TLS handshake started
	12805	Extracted TLS ClientHello message
	12806	Prepared TLS ServerHello message
	12807	Prepared TLS Certificate message
	12808	Prepared TLS ServerKeyExchange message
	12809	Prepared TLS CertificateRequest message
	12505	Prepared EAP-Request with another EAP-TLS challenge

The following shows checks on expiration.


	15048	Queried PIP - CERTIFICATE.Is Expired
	15048	Queried PIP - CERTIFICATE.Days to Expiry

Re: Certificate Check Workflow in ISE

paul — Fri, 27 Apr 2018 03:04:23 GMT

I don't think ISE checks for extended key usage on the cert to ensure client authentication is enabled, but never tested that. The 802.1x supplicant should only be using certs with client auth EKU enabled.

I usually tell customers ISE at a minimum will do the following

Has the cert been issued by one of the trusted CA certs loaded into ISE that have the "Trust for client authentication and syslog" option set. ISE will not authenticate certs from any CA loaded into ISE only the ones with that option checked.
Is the cert valid, i.e. not expired.

Optionally, if configured ISE will also do CRL or OCSP revocation checking.

If the certificate profile used in authentication is tied to AD the ISE will ensure the identity in the certificate is present in AD.

Re: Certificate Check Workflow in ISE

hslai — Fri, 27 Apr 2018 03:35:07 GMT

When I first tested SCEP for ISE BYOD, I used a wrong template so the client certificate did not have client auth and failed EAP-TLS.

Supported Cipher Suites shows

Validate KeyUsage

Client certificate should have KeyUsage=Key Agreement and ExtendedKeyUsage=Client Authentication for the following ciphers:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384

Validate ExtendedKeyUsage

Client certificate should have KeyUsage=Key Encipherment and ExtendedKeyUsage=Client Authentication for the following ciphers:

AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA
RC4-SHA
RC4-MD5

Server certificate should have ExtendedKeyUsage=Server Authentication

Re: Certificate Check Workflow in ISE

paul — Fri, 27 Apr 2018 03:38:05 GMT

Nice. That is good to know.

Sent from my iPhone

Re: Certificate Check Workflow in ISE

grleeson — Fri, 27 Apr 2018 13:04:15 GMT

Thanks for the input. Specifically what I'm looking for is whether ISE checks if a trusted certificate has the Cert Signing EKU.

What prompted the question was configuring 802.1x on phones with CUCM. The CAPF certificate on Call Manager was signed using the Web Server template, instead of the Sub-CA template, so it didn't have the Cert Signing EKU. Needless to say, things didn't work.

What I suspect was going on, (but I can't verify without a packet capture from the failed requests), is that the LSC certs that were being applied to the phones by Call Manager were using the self-signed CAPF Sub-CA certificate (CAPF-abc12345). So ISE couldn't authenticate that, since it had to mis-configured WebServer CAPF (CAPF-xyz12345) cert in the trusted store. But the question that I'm being asked is, "Does ISE check whether a trusted cert has the cert-signing EKU?"

The authentication failure details don't tell you what cert was presented from the client, it just says the handshake failed.

Thanks again for the help on this.

Re: Certificate Check Workflow in ISE

Parag Mahajan — Sat, 28 Apr 2018 16:23:24 GMT

Below link from Aaron blog is also useful

https://www.networkworld.com/article/2226498/infrastructure-management/simply-put-how-does-certificate-based-authenticat…

Re: Certificate Check Workflow in ISE

hslai — Sat, 05 May 2018 03:31:44 GMT

Requirements for CA to Interoperate with Cisco ISE

says,

...

Key usage should allow signing and encryption in extension.

...

Re: Certificate Check Workflow in ISE

grleeson — Sat, 05 May 2018 10:52:42 GMT

Thank you, everybody. I appreciate the help.