Solved: certificate profile match against local ISE user database

rmueller@cisco.com · ‎02-22-2017

Hi all,

my customer would like to match the CN of user certifcate during EAP-TLS authentication against the usernames within the local user database on ISE, retrieve group membership and appy authorization profile based on that.. If I understand the config guide, this is not possible today, customer needs LDAP or AD to do that. My customer sais, on ACS this is possible.

Is there any other way to achieve that on ISE?

Thanks in advance.

Roland

Charlie Moreton · ‎02-22-2017

You are right on both counts. On ACS you can use EAP-TLS to authenticate the internal users. Here is the table from the User Guide for Cisco Secure Access Control System 5.8 showing that this is possible:

And here is the table from the Cisco Identity Services Engine Administrator's Guide, Release 2.2 showing that EAP-TLS authentication to the internal users identity store is not supported:

These are currently the latest releases for both products. Since we cannot discuss Roadmap items, I would suggest you reach out to the Product Management Team for further information.

View solution in original post

Charlie Moreton · ‎02-22-2017

You are right on both counts. On ACS you can use EAP-TLS to authenticate the internal users. Here is the table from the User Guide for Cisco Secure Access Control System 5.8 showing that this is possible:

And here is the table from the Cisco Identity Services Engine Administrator's Guide, Release 2.2 showing that EAP-TLS authentication to the internal users identity store is not supported:

These are currently the latest releases for both products. Since we cannot discuss Roadmap items, I would suggest you reach out to the Product Management Team for further information.