https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576653#M527329 <HTML><HEAD></HEAD><BODY><P>Correct.</P></BODY></HTML> Wed, 30 Aug 2017 01:43:14 GMT hslai 2017-08-30T01:43:14Z https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576646#M527314 <HTML><HEAD></HEAD><BODY><P>Hi Members,</P><P></P><P>When we have Certificate Authentication Profile setup and haven't setup Identity Sequence in Authentication Profile, which Identity Store would ISE look for attributes mentioned in CAP Policy?</P></BODY></HTML> Sun, 27 Aug 2017 03:06:12 GMT https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576646#M527314 dot1x 2017-08-27T03:06:12Z https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576647#M527316 <HTML><HEAD></HEAD><BODY><P>The certificate attribute designated for the user identity is used as the subject/user to lookup for groups/attributes in identity stores as specified in the authorization policy rules. They can be any internal or external identity stores configured in ISE.</P></BODY></HTML> Mon, 28 Aug 2017 02:25:58 GMT https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576647#M527316 hslai 2017-08-28T02:25:58Z https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576648#M527317 <HTML><HEAD></HEAD><BODY><P>What about the authentication part?</P><P>For Authentication, would it check the ID Store specified in Authorization rule?</P></BODY></HTML> Wed, 30 Aug 2017 01:02:53 GMT https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576648#M527317 dot1x 2017-08-30T01:02:53Z https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576649#M527320 <HTML><HEAD></HEAD><BODY><P>It depends on Steps 3 ~ 5 of <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01110.html#task_CBFBF2B60E014B8E8B74D271DC047E47" style="font-size: 10pt;">Add a Certificate Authentication Profile</A></P><P>In case that no identity store chosen in Step 3, then ISE uses those certificates designed for client authentication in Trusted Certificates only.</P></BODY></HTML> Wed, 30 Aug 2017 01:16:09 GMT https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576649#M527320 hslai 2017-08-30T01:16:09Z https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576650#M527321 <HTML><HEAD></HEAD><BODY><P>Thanks hslai.</P><P>Could you please have a look at the attached CAP Profile?</P><P>Would it be checking ID Store specified in Authorization Rule?</P><P>If yes, what happens during Authentication? How would the user get authenticated?<IMG alt="CAP Profile.JPG" class="image-1 jive-image" src="/legacyfs/online/fusion/110856_CAP Profile.JPG" style="height: 269px; width: 620px;" /></P></BODY></HTML> Wed, 30 Aug 2017 01:25:33 GMT https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576650#M527321 dot1x 2017-08-30T01:25:33Z https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576651#M527323 <HTML><HEAD></HEAD><BODY><P>The "Identity Store" is set to [not applicable] so the authentications will be based on trusted certs only. ISE will still perform groups/attributes lookup using the subject alternative name as user name if your authorization policy rules are using those identity stores.</P></BODY></HTML> Wed, 30 Aug 2017 01:36:24 GMT https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576651#M527323 hslai 2017-08-30T01:36:24Z https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576652#M527325 <HTML><HEAD></HEAD><BODY><P>Thanks hslai, that makes sense.</P><P></P><P>Correct me if I'm wrong:</P><P></P><P>Authentication Part: If user certificate is from trusted CA, the user gets authenticated and no ID Stores would be checked.</P><P></P><P>Authorization Part: Subject Alternative Name would be checked in the ID stores as per Authorization Policy.</P></BODY></HTML> Wed, 30 Aug 2017 01:41:15 GMT https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576652#M527325 dot1x 2017-08-30T01:41:15Z https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576653#M527329 <HTML><HEAD></HEAD><BODY><P>Correct.</P></BODY></HTML> Wed, 30 Aug 2017 01:43:14 GMT https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576653#M527329 hslai 2017-08-30T01:43:14Z https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576654#M527332 <HTML><HEAD></HEAD><BODY><P>Is there any basic config example for certificate based authentication both for ISE and Client side?</P></BODY></HTML> Wed, 30 Aug 2017 01:49:10 GMT https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576654#M527332 dot1x 2017-08-30T01:49:10Z https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576655#M527334 <HTML><HEAD></HEAD><BODY><P><A _jive_internal="true" data-containerid="5301" data-containertype="14" data-objectid="63882" data-objecttype="102" href="https://community.cisco.com/docs/DOC-63882">ISE Training</A><SPAN style="font-size: 10pt;"> has links to various materials.</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">We have some GOLD labs via SalesConnect but these offerings are ending this Thursday.</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">BYOD -- shows using ISE BYOD to provision a certificate to an Apple iDevice using ISE internal CA</SPAN></P><P><SPAN style="font-size: 10pt;">Integrating ISE with Active Directory -- shows using GPO in AD to provision certificates and authorize using AD.</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P></BODY></HTML> Wed, 30 Aug 2017 02:17:47 GMT https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576655#M527334 hslai 2017-08-30T02:17:47Z https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576656#M527335 <HTML><HEAD></HEAD><BODY><P>Thanks hslai for your comments and suggestions.</P></BODY></HTML> Wed, 30 Aug 2017 03:12:35 GMT https://community.cisco.com/t5/network-access-control/certificate-authentication-profile-cap-identity-store-query/m-p/3576656#M527335 dot1x 2017-08-30T03:12:35Z