01-14-2018 12:48 PM
Current Situation: Campus includes 6 companies with separated AD and PKI.
Required to authorize user based on client certificate
In traditional way ( IF we had only one Tenant).
Authentication rule > if Auth “Dot1x” --> then --> Authenticate against “Cert-Auth”
Authorization Rule > if User “part from groupX” --> then --> “Auth_profile”
In our case 6 tenant mean different AD and PKI. So how it can be done? (with and without trust between difference AD).
For Example
Without trust
Then you should differentiate between each request in order to send it to specific authentication sequence.
So in authentication phase, does domain are listed in radius attributes? or any attributes we can get to send authentication to its Cert-Profile
And in case of trust exist between different AD , does one certificate profile will be enough
Solved! Go to Solution.
01-15-2018 10:09 AM
First of all, each ISE node uses one and only one system certificate for its EAP server, so that can be signed by only one PKI, such as self-signed, signed by one of the PKIs of the 6 companies, or signed by a well known outside CA (e.g. DigiCert). The client supplicants will need to accept and trust either such ISE EAP server certificate directly or its root CA certificate.
As to the authentication using EAP-TLS, then RADIUS.User-Name dictionary attribute can be used to direct requests to a particular certificate auth profiles. We may use the same cert auth profile if the user identity is represented in the same certificate field and if the identity store selected as either [not applicable] or All_AD_Join_Points. AD trusts mainly affect the number of AD join points.
01-15-2018 10:09 AM
First of all, each ISE node uses one and only one system certificate for its EAP server, so that can be signed by only one PKI, such as self-signed, signed by one of the PKIs of the 6 companies, or signed by a well known outside CA (e.g. DigiCert). The client supplicants will need to accept and trust either such ISE EAP server certificate directly or its root CA certificate.
As to the authentication using EAP-TLS, then RADIUS.User-Name dictionary attribute can be used to direct requests to a particular certificate auth profiles. We may use the same cert auth profile if the user identity is represented in the same certificate field and if the identity store selected as either [not applicable] or All_AD_Join_Points. AD trusts mainly affect the number of AD join points.
01-26-2018 02:39 PM
if ise should be configured to authorize users based on group attributes.
Lets say username exist in AD1 is “user” .while issuing client certificate, CN should br “user” in certificate attributes. If you need to differentiate with another factor plus username.
Is this applicale to capture more than one attribute ? In certificate authorizatio profile you can find two options
1. Retrieve only one attribute as common name“CN”
2. Retrieve generic check on certificate attributes
#option1
Each will authenticate the user and retrieve “CN” in all AD joint points
In this scenario, ISE #performances may be affected as u send each auth request to all tenant and #user match in multi domains.
Option2
# i can not find more explanation to make sure this way is better ?
.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide