Re: 802.1x Cert Auth - What does the PSN Do with the Client Cert?

ryanbess · ‎04-23-2024

Please see the attached file. When a Windows client connects to the network and its supplicant is configured to send the computer certificate, what exactly is the PSN doing with this certificate? In the attached i have a use of Lab_dot1x_Certs (See 8021x-Certauth.jpg). The configuration of Lab_dot1x_Certs is seen in the External Identity.jpg also attached. The config of sub.lab.com can be seen in the file sub.lab.com.png. I'm assuming that the PSN (lets say ise-04.sub.lab.com gets the cert, its role is only PSN) gets the client cert and does something with it...but what in detail is it doing?

murat001 · ‎04-24-2024

Hi

accordingly to external identity configurations you sent, PSN is looking the common name (CN) attribute in the certificate. If you are using Machine Authentication CN = hostname.domain , if you are using User Authentication CN = usernama@domain. and PSN lookup these information provided by certiicate CN attribute in your AD domain.

ryanbess · ‎04-24-2024

Hi @murat001, how is the PSN looking into AD? Is it going over TCP 389, 636, 3268, 3269 or RPC? What credential is the PSN using? I would guess it would use the PSN's computer account since they are joined to AD. In the example of the ise-04 PSN is it going to ONLY connect to SUB-DC1.sub.lab.com? There are other DCs in the sub.lab.com AD domain and there are additional DCs that support the LAB.com AD domain.

MHM Cisco World · ‎04-24-2024

You build what we called certificate profile'

This profile identity user by specific part in it cert.

Then this certificate profile is use in authz (or authc) to send specific attributes to SW/WLC.

So what you need to look for is certificate profile.

MHM

PSM · ‎04-24-2024

Yes, ISE PSN uses machine account to query AD. Each ISE node join one DC (Selection particular domain controller depends upon the dns query). In case of existing domain controller fails ISE will query again to find the other available.

ryanbess · ‎04-24-2024

What port does the PSN query on AD?

Rob Ingram · ‎04-24-2024

@ryanbess the list of ports are under the External Identity Sources and Resources (Outbound) section of the guide below

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide30_chapter_7.html

ryanbess · ‎04-24-2024

Thanks Rob. In continuing on with the example, if a cert is presented that has the below, i'm assuming the PSN would make an LDAP call. What's unclear to me is would it check 389 (ldap) or 3268 (GC). In my lab i have a root AD domain of lab.com and a child domain of sub.lab.com. It's possible the computer object could come from either AD domain. Just trying to understand the mechanics behind how the PSN gets the cert, then ask AD "Do you have a computer object with a CN=XXXXXXX" when XXXXXX could be in a number of AD domains. But in my example, does it only ask TCP 389 or does it also ask 3268 which i would expect to have some attributes about all computer objects in the forest. Multiple AD domains just make things difficult......

murat001 · ‎04-24-2024

@rynbaess please take a look at this guide. You can find many answer.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215233-identity-service-engine-ise-and-active.html#toc-hId--1546961875

And if your different domians are trust beetwen itself. you can see on the whitelist domain tab in the ext identity source > AD > Whitelist domain . If exist usable whitelist domain CN attribute can looked up at all domains.

I guess machine CN attribute will lookup over RPC protocol .and ıt will used 3268 port for search any attributes.

good lucky

ryanbess · ‎04-25-2024

any idea how they were able to see that traffic in the clear in those pcaps? I'm sure there's some policy on the DC that is disabled but can't figure out which one it is.

ahollifield · ‎04-24-2024

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/install_guide/b_ise_installationGuide32/b_ise_InstallationGuide32_chapter_7.html