topic Re: ISE: dealing with certificates that remain in endpoints in Network Access Control

ISE: dealing with certificates that remain in endpoints

jolopes — Tue, 19 Dec 2017 18:23:34 GMT

Hi Team,

My customer authenticates their Corporate SSID though their CA certificates.

However, by some unknown reason, sometimes the endpoints (laptops) maintain those certificates, although they are no longer present in the AD.

This anomaly results in those endpoints failing authentication to the Wireless Network.

They found a workaround: altering in ISE, the option “Match Client Certificate Against Certificate In Identity Store”, from “Always perform binary comparison” to “Only to resolve identity ambiguity”.

They would like to know the impact of that workaround, namely in terms of access security.

Any other comments are welcomed!

Thank you in Advance.

Best Regards,

Filipe

Re: ISE: dealing with certificates that remain in endpoints

ognyan.totev — Thu, 21 Dec 2017 07:07:45 GMT

It is ok with this option in mine deployment i did same ,if you choose first option you must change the option in to continue if user not found but there is no user if it is machine certificate and if option is reject it will fail .

Re: ISE: dealing with certificates that remain in endpoints

jolopes — Fri, 22 Dec 2017 10:22:37 GMT

Thank you so much, Ognyan

Customer would also like to know of possible security issues on using such a workaround.

If you or anyone would like to comment, I'd really appreciate it.

Thank you.

Filipe

Re: ISE: dealing with certificates that remain in endpoints

ognyan.totev — Fri, 22 Dec 2017 13:44:15 GMT

No, no security violations,if machine have a valid certificate authentication and authorization will be ok ,i test it without certificate cant access network i test it and with expired certificate no access too ,as i told above this work in mine deployment about 1 year .