Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
197
Views
1
Helpful
1
Replies

Certificate Authentication Profile

Go to solution
rezaalikhani
Spotlight
Spotlight

ā€Ž10-03-2024 05:02 AM

Hi all;

When using a Certificate Authentication Profile (CAP) without Active Directory or other supported external identity stores, does the CAP search ISE internal identity store for identity matches based on defined certificate fields?

Thanks 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

ā€Ž10-03-2024 04:43 PM

My understanding of the purpose of the CAP is to simply extract an identity from the certificate, whichever field you tell it to (e.g. Subject Common Name).  Since there is no password involved in a certificate, the "authentication" of that identity has to be done elsewhere. One option is to see if that identity exists in AD and assert the authentication that way. Else, by not looking up the identity in AD, we can still assert that the identity has been authenticated by virtue of the trust relationship that ISE has with the Issuer of that certificate. You could argue that we don't even need to lookup the identity in AD (if if even exists there) because the authenticity of the cert is good enough.

As you know, later on during Authorization, we can use that extracted identity to perform AuthZ against internal ISE database (Group membership), or AD, LDAP, etc.

That's how I see it anyway.

View solution in original post

1 Reply 1

Go to solution
Arne Bier
VIP
VIP

ā€Ž10-03-2024 04:43 PM

My understanding of the purpose of the CAP is to simply extract an identity from the certificate, whichever field you tell it to (e.g. Subject Common Name).  Since there is no password involved in a certificate, the "authentication" of that identity has to be done elsewhere. One option is to see if that identity exists in AD and assert the authentication that way. Else, by not looking up the identity in AD, we can still assert that the identity has been authenticated by virtue of the trust relationship that ISE has with the Issuer of that certificate. You could argue that we don't even need to lookup the identity in AD (if if even exists there) because the authenticity of the cert is good enough.

As you know, later on during Authorization, we can use that extracted identity to perform AuthZ against internal ISE database (Group membership), or AD, LDAP, etc.

That's how I see it anyway.

Customers Also Viewed These Support Documents