ā05-08-2024 02:34 AM
Hello!
My question is that when using EAP-TLS as an authentication method both the client and the server shows it certificate and mutual trust is established, but does confirmation happen in this case against the configured authentication source like an LDAP AD? (Like a lookup for that user.)
Based on this snippet it only happens in the authentication phase if I configre Binary Comparsion, otherwise in later when authorizations take takes place:
"If the identity store is to be pointed to Active Directory or LDAP (external identity source), then a feature called Binary Comparison can be used. Binary Comparison performs a lookup of the identity in Active Directory obtained from the client certificate from the Use Identity From selection, which occurs during the ISE Authentication phase. Without Binary Comparison, the identity is simply obtained from the client certificate and is not looked up in Active Directory until the ISE Authorization phase when an Active Directory External Group is used as a condition, or any other conditions that would need to be performed externally to ISE. "
The problem which triggerd this that we have to integrate ISE with Entra ID (formerly Azure AD). And in that case during EAP-TLS authentication the lookup is made based on the client Certificate UPN. And this lookup is executed on Graph API not LDAP for attributes and group memberships. And in the authorization phase the retrieved attributes are used, no further querry is made. (according to this guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html) But how does the authN policy knows where to authenticate the user? The configured Certificate authen Profile does not contain the Entra ID or any outher source.
Thanks!
ā05-08-2024 03:44 AM
@mtar wrote:Hello!
My question is that when using EAP-TLS as an authentication method both the client and the server shows it certificate and mutual trust is established, but does confirmation happen in this case against the configured authentication source like an LDAP AD? (Like a lookup for that user.)
Based on this snippet it only happens in the authentication phase if I configre Binary Comparsion, otherwise in later when authorizations take takes place:
"If the identity store is to be pointed to Active Directory or LDAP (external identity source), then a feature called Binary Comparison can be used. Binary Comparison performs a lookup of the identity in Active Directory obtained from the client certificate from the Use Identity From selection, which occurs during the ISE Authentication phase. Without Binary Comparison, the identity is simply obtained from the client certificate and is not looked up in Active Directory until the ISE Authorization phase when an Active Directory External Group is used as a condition, or any other conditions that would need to be performed externally to ISE. "
The problem which triggerd this that we have to integrate ISE with Entra ID (formerly Azure AD). And in that case during EAP-TLS authentication the lookup is made based on the client Certificate UPN. And this lookup is executed on Graph API not LDAP for attributes and group memberships. And in the authorization phase the retrieved attributes are used, no further querry is made. (according to this guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html) But how does the authN policy knows where to authenticate the user? The configured Certificate authen Profile does not contain the Entra ID or any outher source.
Thanks!
To ensure proper authentication and authorization in the context of EAP-TLS authentication with Cisco ISE, it's crucial to configure the authentication source and Certificate Authentication Profile correctly. During the authentication phase, the Certificate Authentication Profile handles the processing of client certificates, while the configured Identity Store, such as LDAP, Active Directory, or Entra ID (formerly Azure AD), determines where authentication queries are directed. If Binary Comparison is enabled, ISE performs a lookup of the identity in the configured authentication source using information from the client certificate.
This lookup occurs during the ISE Authentication phase. Subsequently, in the Authorization phase, conditions that require querying external sources, such as LDAP or Active Directory, are performed to determine access rights based on group memberships and attributes. Therefore, to integrate ISE with Entra ID, ensure that the Identity Store settings within ISE are configured to point to Entra ID as the authentication source. This ensures that authentication queries during EAP-TLS authentication are directed to Entra ID (Azure AD) for user authentication, facilitating a seamless authentication and authorization process.
ā05-08-2024 05:00 AM
I'm sorry but you are wrong: "It is important to understand that ISE is not capable of performing Authentication against Entra ID."
Thats from the official Cloud AD guide.
ā05-08-2024 03:41 PM
With Entra ID, ISE performs the REST ID lookup based on condition in the Authorization Policy (e.g. [REST ID]:ExternalGroups equals <group>)
See examples and current available options with Entra ID here:
Cisco ISE with Microsoft Active Directory, Entra ID, and Intune
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide