Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
3
Replies

Cisco ISE EAP-TLS authentication method

mtar
Level 1
Level 1

‎05-08-2024 02:34 AM

Hello!

My question is that when using EAP-TLS as an authentication method both the client and the server shows it certificate and mutual trust is established, but does confirmation happen in this case against the configured authentication source like an LDAP AD? (Like a lookup for that user.)

Based on this snippet it only happens in the authentication phase if I configre Binary Comparsion, otherwise in later when authorizations take takes place:

"If the identity store is to be pointed to Active Directory or LDAP (external identity source), then a feature called Binary Comparison can be used. Binary Comparison performs a lookup of the identity in Active Directory obtained from the client certificate from the Use Identity From selection, which occurs during the ISE Authentication phase. Without Binary Comparison, the identity is simply obtained from the client certificate and is not looked up in Active Directory until the ISE Authorization phase when an Active Directory External Group is used as a condition, or any other conditions that would need to be performed externally to ISE. "

The problem which triggerd this that we have to integrate ISE with Entra ID (formerly Azure AD). And in that case during EAP-TLS authentication the lookup is made based on the client Certificate UPN. And this lookup is executed on Graph API not LDAP for attributes and group memberships. And in the authorization phase the retrieved attributes are used, no further querry is made. (according to this guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html) But how does the authN policy knows where to authenticate the user? The configured Certificate authen Profile does not contain the Entra ID or any outher source.

 

Thanks!

 

0 Helpful
3 Replies 3

antisocial11224
Level 1
Level 1

‎05-08-2024 03:44 AM

@mtar wrote:

Hello!

My question is that when using EAP-TLS as an authentication method both the client and the server shows it certificate and mutual trust is established, but does confirmation happen in this case against the configured authentication source like an LDAP AD? (Like a lookup for that user.)

Based on this snippet it only happens in the authentication phase if I configre Binary Comparsion, otherwise in later when authorizations take takes place:

"If the identity store is to be pointed to Active Directory or LDAP (external identity source), then a feature called Binary Comparison can be used. Binary Comparison performs a lookup of the identity in Active Directory obtained from the client certificate from the Use Identity From selection, which occurs during the ISE Authentication phase. Without Binary Comparison, the identity is simply obtained from the client certificate and is not looked up in Active Directory until the ISE Authorization phase when an Active Directory External Group is used as a condition, or any other conditions that would need to be performed externally to ISE. "

The problem which triggerd this that we have to integrate ISE with Entra ID (formerly Azure AD). And in that case during EAP-TLS authentication the lookup is made based on the client Certificate UPN. And this lookup is executed on Graph API not LDAP for attributes and group memberships. And in the authorization phase the retrieved attributes are used, no further querry is made. (according to this guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html) But how does the authN policy knows where to authenticate the user? The configured Certificate authen Profile does not contain the Entra ID or any outher source.

 

Thanks!

 

To ensure proper authentication and authorization in the context of EAP-TLS authentication with Cisco ISE, it's crucial to configure the authentication source and Certificate Authentication Profile correctly. During the authentication phase, the Certificate Authentication Profile handles the processing of client certificates, while the configured Identity Store, such as LDAP, Active Directory, or Entra ID (formerly Azure AD), determines where authentication queries are directed. If Binary Comparison is enabled, ISE performs a lookup of the identity in the configured authentication source using information from the client certificate.

This lookup occurs during the ISE Authentication phase. Subsequently, in the Authorization phase, conditions that require querying external sources, such as LDAP or Active Directory, are performed to determine access rights based on group memberships and attributes. Therefore, to integrate ISE with Entra ID, ensure that the Identity Store settings within ISE are configured to point to Entra ID as the authentication source. This ensures that authentication queries during EAP-TLS authentication are directed to Entra ID (Azure AD) for user authentication, facilitating a seamless authentication and authorization process.

0 Helpful

mtar
Level 1
Level 1
In response to antisocial11224

‎05-08-2024 05:00 AM

I'm sorry but you are wrong: "It is important to understand that ISE is not capable of performing Authentication against Entra ID."

Thats from the official Cloud AD guide.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎05-08-2024 03:41 PM

With Entra ID, ISE performs the REST ID lookup based on condition in the Authorization Policy (e.g. [REST ID]:ExternalGroups equals <group>)

See examples and current available options with Entra ID here:
Cisco ISE with Microsoft Active Directory, Entra ID, and Intune 

0 Helpful
Customers Also Viewed These Support Documents