Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
616
Views
4
Helpful
1
Replies

EAP-TLS authentication flow in ISE

Go to solution
kushar.gowda
Level 1
Level 1

‎03-28-2023 11:55 AM

Hi,

We have a SSID configuered for EAP-TLS authentication, where endpoints have different certificate templates configuered for user and machine authentication. From ISE, we have certificate authentication profile configuered to validate all subject and alternative names for lookup in AD to include attributes from different certificate templates.

We have observed that ISE behaves differently for each certificate template with respect to authentication flow.

We wanted to understand how does ISE get to know a certificate is a user template or machine template and the detailed steps followed by ISE for authentication when it receives a endpoint certificates with different templates.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-28-2023 02:42 PM

The CAP (Cert Auth Profile) is used by ISE to determine what attribute in the certificate is used for identity. This identity is used in the logs as well as when ISE is also configured to check that identity against an external identity store (like AD) using an Identity Source Sequence.

As per the Admin Guide:
"If you choose Any Subject or Alternative Name Attributes in the Certificate, Active Directory UPN will be used as the username for logs and all subject names and alternative names in a certificate will be tried to look up a user. This option is available only if you choose Active Directory as the identity source."

ISE does not determine whether the session is a computer or user authentication by the certificate. With Windows, the supplicant is what tells ISE whether the session is related to computer or user. If the supplicant is configured for 'User or computer authentication' , Windows will present the computer certificate when in the computer state (pre user login or when the user logs off) and the user certificate when in the user state.

View solution in original post

1 Reply 1

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-28-2023 02:42 PM

The CAP (Cert Auth Profile) is used by ISE to determine what attribute in the certificate is used for identity. This identity is used in the logs as well as when ISE is also configured to check that identity against an external identity store (like AD) using an Identity Source Sequence.

As per the Admin Guide:
"If you choose Any Subject or Alternative Name Attributes in the Certificate, Active Directory UPN will be used as the username for logs and all subject names and alternative names in a certificate will be tried to look up a user. This option is available only if you choose Active Directory as the identity source."

ISE does not determine whether the session is a computer or user authentication by the certificate. With Windows, the supplicant is what tells ISE whether the session is related to computer or user. If the supplicant is configured for 'User or computer authentication' , Windows will present the computer certificate when in the computer state (pre user login or when the user logs off) and the user certificate when in the user state.

Customers Also Viewed These Support Documents