cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

229
Views
10
Helpful
4
Replies
Participant

802.1x Certificate authentication work flow

Dear All,

I am beginner. I didn't understand 802.1x wired authentication with certification.

Whenever we are using machine authentication or user authentication with cert,we need to install root cert and user cert or root cert and machine cert in client domain joined PCs.So if I use wrong user cert or machine cert which are not joined domain,I always see user not found error.this mean this process ever check domain user acc or computer acc in domain?

Because i try to use manual request and install cert in workgroup PCs .it also show user not found error. So can I use other domain user acc cert to install in workgroup PCs and can use in authentication? One user acc can authenticate concurrently?

I also want to know in 802.1x authentication we need to always power on the CA server? Can I shutdown the CA servers if cert enroll is finished ?

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: 802.1x Certificate authentication work flow

That is correct.  You could even authenticate a Linux machine or MacBook at that point.  ISE just checks that the certificate is valid.  And all ISE needs for that is the CA certificate in its trusted certificate store and within the CA certificate config, make sure you check the option for "Trust for client authentication".  That's it.  No need for AD.

View solution in original post

4 REPLIES 4
Beginner

Re: 802.1x Certificate authentication work flow

There are a lot of variables in your questions.  I will try to break them down in pieces.

- For ISE to authenticate the client certificate, the Root or Intermediate CA certificates need to be installed in ISE's certificate store and trusted for client authentication.  This would be the Root/Intermediate that issued the client certificate.

- If the client/supplicant is configured to verify the server's identity, then the Root/Intermediate CA certificate of the server that issued ISE it's EAP Authentication certificate must be installed on the client in its trusted certificate store.  If the client is not configured to verify the server, then you won't need this.  But I recommend it for security.

- To authenticate a certificate, ISE uses a Certificate Authentication Profile (CAP).  In that CAP configuration, you tell ISE what field in the certificate to use as the "identity".  There is also an option to check against Active Directory to resolve ambiguity.  If that option is checked, then ISE will check for the "identity" in AD.  If not there, then you will get the error of user not found.  But you don't need to check AD.  If that option is not checked, then ISE will just verify the certificate is valid and issued by a CA that ISE trusts.

- If you have any rules in the authorization policy that check for group membership, then ISE will need to check AD using the "identity" from the certificate based on your CAP.

- Again, it doesn't have to check AD for certificate authentication.  But you have to make sure your CAP configuration is not setup for checking AD.

- The user certificate will be assigned to a particular user on the machine and I don't believe can be used for other users on the same machine.  The machine certificate can be used for the machine no matter who is logged in.

- You don't need the CA server online unless you have your CA certificate configured for doing certificate revocation checks using CRL or OCSP.  If that is not configured, then your CA can be offline.  ISE just verifies that the certificate is valid and that it was issued by a CA that ISE trusts.

Hope that helps!

Highlighted
Participant

Re: 802.1x Certificate authentication work flow

Hi,

Firstly i want to say Thanks for your detail explanation.

I would like to ask depend on your answer.

==> But you don't need to check AD.  If that option is not checked, then ISE will just verify the certificate is valid and issued by a CA that ISE trusts. <==

 

1. This mean can we use this method for workgroup computers to authenticate 802.1x ?

if we didn't check AD,which resource are using to check it is valid or not ,it will use CAP only ? we don't need to create local user in ISE ?

 

 

Everyone's tags (2)
Beginner

Re: 802.1x Certificate authentication work flow

That is correct.  You could even authenticate a Linux machine or MacBook at that point.  ISE just checks that the certificate is valid.  And all ISE needs for that is the CA certificate in its trusted certificate store and within the CA certificate config, make sure you check the option for "Trust for client authentication".  That's it.  No need for AD.

View solution in original post

VIP Engager

Re: 802.1x Certificate authentication work flow

Just a follow-up on this.  We typically don't use AD in our CAPs as we want them to function for all use cases.  Our CAPs just point to the SAN field for identity and we leave it at that.  So as Colby mentioned in the authentication phase ISE is only checking that the certificate is valid, not revoked (if you have revocation checking enabled) and that it was issued by a CA that ISE has trust for client authentication enabled. 

 

Now once you get to the authorization phase you can do all sort of magic including AD group lookups:

 

  1. EAP-TLS and Member of Domain Computers
  2. EAP-TLS and Member of Domain Users
  3. EAP-TLS and issuer common name Call Manager
  4. EAP-TLS (to catch other valid cert auths)