12-19-2017 10:23 AM
Hi Team,
My customer authenticates their Corporate SSID though their CA certificates.
However, by some unknown reason, sometimes the endpoints (laptops) maintain those certificates, although they are no longer present in the AD.
This anomaly results in those endpoints failing authentication to the Wireless Network.
They found a workaround: altering in ISE, the option “Match Client Certificate Against Certificate In Identity Store”, from “Always perform binary comparison” to “Only to resolve identity ambiguity”.
They would like to know the impact of that workaround, namely in terms of access security.
Any other comments are welcomed!
Thank you in Advance.
Best Regards,
Filipe
Solved! Go to Solution.
12-20-2017 11:07 PM
It is ok with this option in mine deployment i did same ,if you choose first option you must change the option in to continue if user not found but there is no user if it is machine certificate and if option is reject it will fail .
12-20-2017 11:07 PM
It is ok with this option in mine deployment i did same ,if you choose first option you must change the option in to continue if user not found but there is no user if it is machine certificate and if option is reject it will fail .
12-22-2017 02:22 AM
Thank you so much, Ognyan
Customer would also like to know of possible security issues on using such a workaround.
If you or anyone would like to comment, I'd really appreciate it.
Thank you.
Filipe
12-22-2017 05:44 AM
No, no security violations,if machine have a valid certificate authentication and authorization will be ok ,i test it without certificate cant access network i test it and with expired certificate no access too ,as i told above this work in mine deployment about 1 year .
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: