Solved: Certificate based authentication in ISE

sqambera · ‎03-30-2016

Hello,

I am trying to develop understanding of certificate based authentication using EAP-TLS in ISE. My question is do we really need Certificate Authentication Profile (CAP) even if we just only need to perform certificate based authentication and we are not interested in configuring authorization rules based on what field of the certificate has been specified as username in the CAP. I am asking this because I think that probably to do certificate based authentication, ISE just needs to check the validity of certificate and whether it has been signed by a CA which it can check by looking into certificate store. Please let me know if I have wrong concept.

I am keen to know what's the whole purpose of CAP? I read in a book that:

To validate the identity ISE must make sure the credentials are valid. In the case of certificate-based authentications, it must determine whether:

The digital certificate has been issued and signed by a trusted certificate authority (CA).

The certificate has expired (checks both the start and end dates).

The certificate has been revoked.

The client has provided proof of possession.

The certificate presented has the correct key usage, critical extensions, and extended key usage values present.

So in above listed points where is specifically CAP used?

Thanks for taking time to answer.

Regards,

Qamber

nspasov · ‎04-02-2016

Hi Qamber, I will try to answer your points as best as I can :)

#1) I am not really sure on what the ISE mechanics are when it comes to the CAP. However, this is a snip-it from Cisco's Design Guide:

Certificate authentication profiles (CAP)s are used in authentication policies for certificate-based authentications. The CAP defines certain attributes in the certificate to view & use as an additional identity source. For example, if the username is in the CN= field of the certificate, you will create a CAP that examines the CN= field. That data may then be used and checked against other identity sources, such as Active Directory

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_60_byod_certificates.pdf

#2) You should be able to define a CAP and use it as an Identity Store without the need to place it in a Sequence. I have done this many times and just re-confirmed that it is possible in my lab. Please check again :)

#3) An Identity Store Sequence allows you to examine more than one Identity Store. In addition, it defines defines in which order Identity Sources are queried. Once a match is found, the process stops and information is returned to ISE.

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎04-01-2016

Hello Qamber,

CAP is needed as it needs to be referenced as an Identity Store for your Authentication policy. Without having CAP configured you will only be able to reference ISE's internal stores and any other identity stores (if configured) such as Active Directory, LDAP, etc.

I hope this helps!

Thank you for rating helpful posts!

sqambera · ‎04-01-2016

Thanks Neno. If CAP is used as identity store for authentication policy then:

1. we know that identity store is used for verifying authentication credentials. How CAP is used for verifying authentication credentials? because when we configure CAP we just have to specify which field of the certificate would be used as principal username. What happens afterwards? for example when we perform authentication based on username and password the ISE checks in AD whether those credentials exist or not. Where and what does ISE check in case of CAP. I want to know how certificate is checked by ISE.

2. If CAP is an identity store why we can only use it in identity source sequence? Why we cannot use it in an authentication rule alone like we can do AD or internal identity source.

3. What happens when in an identity source sequence that is being used in an authentication rule a CAP is specified along with other identity sources. How authentication process works in such scenario?

Thanks a lot for taking time to help me understand it.

Best regards,

Qamber

nspasov · ‎04-02-2016

Hi Qamber, I will try to answer your points as best as I can :)

#1) I am not really sure on what the ISE mechanics are when it comes to the CAP. However, this is a snip-it from Cisco's Design Guide:

Certificate authentication profiles (CAP)s are used in authentication policies for certificate-based authentications. The CAP defines certain attributes in the certificate to view & use as an additional identity source. For example, if the username is in the CN= field of the certificate, you will create a CAP that examines the CN= field. That data may then be used and checked against other identity sources, such as Active Directory

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_60_byod_certificates.pdf

#2) You should be able to define a CAP and use it as an Identity Store without the need to place it in a Sequence. I have done this many times and just re-confirmed that it is possible in my lab. Please check again :)

#3) An Identity Store Sequence allows you to examine more than one Identity Store. In addition, it defines defines in which order Identity Sources are queried. Once a match is found, the process stops and information is returned to ISE.

Thank you for rating helpful posts!

sqambera · ‎04-02-2016

Many thanks Neno for your time and effort to answer my questions. Specially for verifying with lab. I'd probably be bothering you later with more questions :)

nspasov · ‎04-02-2016

No problem! Glad I was able to help! :)

Peter Koltl · ‎03-25-2019

Without a Certificate Authentifacion Profile ISE tries only password-based authentication methods and does not attempt to authenticate the session with a certificate.