cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1949
Views
0
Helpful
3
Replies

ISE 2.7 EAP-TLS only with specific intermediate CA

Hello,

We are planning to migrate to use PEAP and EAP-TLS as authentication method.
We have Root CA and several intermediate CA(first and second) all on Microsoft.
We've imported Root CA and intermediate CA(first) Certificates in Trusted Certificates on ISE.
We want that ISE accept client certificates for EAP-TLS authentication that Issued By only first intermediate CA.
When we select for ROOT-CA certificate usages "Trust for client authentication and Syslog", ISE accept client certificates for EAP-TLS authentication that Issued By first and second intermediate CA.
When we unselect for ROOT-CA certificate usages "Trust for client authentication and Syslog", ISE doesn't accept client certificates for EAP-TLS authentication that Issued By any intermediate CA.
TAC answered that this is an expected behavior from ISE, this behavior changed is discussed in this defect:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp75207

Is there any way to configure ISE so that it accept client certificates for EAP-TLS authentication that Issued By only first intermediate CA?
For example on Cisco ASA we use
crypto ca certificate map
issuer-name attr dc eq
issuer-name attr dc eq
issuer-name attr cn eq
Is there something like that on ISE?

1 Accepted Solution

Accepted Solutions

You can perform this check in Authentication - a fictitious example below - that could be useful to select a particular Certificate Profile (i.e. WHERE to look in the cert for the user identity - e.g. in the Subject, or the SAN) - it's not needed if you can safely use the same Certificate Profile for any type of client EAP-TLS auth. But it's useful if some client certs publish the identity in the Subject, and other client certs contain user identity info in the SAN. 

 

ACME.PNG

 

Then during Authorization you can do the same thing again - this time checking the CERTIFICATE ISSUER details to decide how to treat the request - if you need to match on Issuer "ACME PKI 02" to return some RADIUS result, you can do as follows:

 

ACME2.PNG

 

 

View solution in original post

3 Replies 3

Arne Bier
VIP
VIP

Have you tried to tick the Root-CA cert to allow Intermediate 1 and Intermediate 2, and then perform checks that look into the Client Cert itself? You can perform checks for the Client certificate Issuer (e.g. Issuer Starts with "Intermediate 2" - to allow auth for clients whose certs were issued by Intermediate 2.

 

Not sure if grasped the problem entirely.

"...perform checks that look into the Client Cert itself..."

How can such a check be performed on ISE?

You can perform this check in Authentication - a fictitious example below - that could be useful to select a particular Certificate Profile (i.e. WHERE to look in the cert for the user identity - e.g. in the Subject, or the SAN) - it's not needed if you can safely use the same Certificate Profile for any type of client EAP-TLS auth. But it's useful if some client certs publish the identity in the Subject, and other client certs contain user identity info in the SAN. 

 

ACME.PNG

 

Then during Authorization you can do the same thing again - this time checking the CERTIFICATE ISSUER details to decide how to treat the request - if you need to match on Issuer "ACME PKI 02" to return some RADIUS result, you can do as follows:

 

ACME2.PNG

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: