Hello!

My question is that when using EAP-TLS as an authentication method both the client and the server shows it certificate and mutual trust is established, but does confirmation happen in this case against the configured authentication source like an LDAP AD? (Like a lookup for that user.)

Based on this snippet it only happens in the authentication phase if I configre Binary Comparsion, otherwise in later when authorizations take takes place:

"If the identity store is to be pointed to Active Directory or LDAP (external identity source), then a feature called Binary Comparison can be used. Binary Comparison performs a lookup of the identity in Active Directory obtained from the client certificate from the Use Identity From selection, which occurs during the ISE Authentication phase. Without Binary Comparison, the identity is simply obtained from the client certificate and is not looked up in Active Directory until the ISE Authorization phase when an Active Directory External Group is used as a condition, or any other conditions that would need to be performed externally to ISE. "

The problem which triggerd this that we have to integrate ISE with Entra ID (formerly Azure AD). And in that case during EAP-TLS authentication the lookup is made based on the client Certificate UPN. And this lookup is executed on Graph API not LDAP for attributes and group memberships. And in the authorization phase the retrieved attributes are used, no further querry is made. (according to this guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/218197-configure-ise-3-2-eap-tls-with-azure-act.html) But how does the authN policy knows where to authenticate the user? The configured Certificate authen Profile does not contain the Entra ID or any outher source.

Thanks!