Certificate Authentication Profile

rezaalikhani — Thu, 03 Oct 2024 12:02:01 GMT

Hi all;

When using a Certificate Authentication Profile (CAP) without Active Directory or other supported external identity stores, does the CAP search ISE internal identity store for identity matches based on defined certificate fields?

Thanks

Re: Certificate Authentication Profile

Arne Bier — Thu, 03 Oct 2024 23:43:43 GMT

My understanding of the purpose of the CAP is to simply extract an identity from the certificate, whichever field you tell it to (e.g. Subject Common Name). Since there is no password involved in a certificate, the "authentication" of that identity has to be done elsewhere. One option is to see if that identity exists in AD and assert the authentication that way. Else, by not looking up the identity in AD, we can still assert that the identity has been authenticated by virtue of the trust relationship that ISE has with the Issuer of that certificate. You could argue that we don't even need to lookup the identity in AD (if if even exists there) because the authenticity of the cert is good enough.

As you know, later on during Authorization, we can use that extracted identity to perform AuthZ against internal ISE database (Group membership), or AD, LDAP, etc.

That's how I see it anyway.

topic Certificate Authentication Profile in Network Access Control

Certificate Authentication Profile

Re: Certificate Authentication Profile