Roger,
When you check the "Trust for Client Authentication and Syslog" option on any cert you import in the Trusted certificate section of ISE you are telling ISE that that CA can issue client certs and ISE can authenticate them.
The issue you have to watch out for is the cert structure on each of the CAs. Ideally, the cert templates in each CA would place identity information in a similar location. Most modern templates should be using the SAN field to hold identity information. If that is the case, then you can setup one cert profile that tells ISE to check the SAN field for identity information. You have the option to tie your cert profile into AD as well, which I would do in your case.
So assuming you have a cert profile that checks that extract identity information from the SAN field here is what would happen during authentication/authorization.
- Authentication- ISE will authenticate the presented certificate to ensure that the cert is not expired, it was issued by a CA that has the "Trust for Client Authentication" enabled, and that the cert is not revoked (assuming you have revocation checking enabled). As part of this process the identity information will be extracted from the cert using the cert profile specified, i.e. SAN field.
- Authorization- you can do AD group checks. ISE will take the extracted identity information and do AD checks. Note: if the identity in the certificate is not a fully qualified object (user or computer) you may need to set the advanced option in your AD configuration to have ISE check all whitelisted domains for to find the object. If you don't set that setting, ISE will only check the domain it is joined to.
If the CAs don't have consistent identity placement in their templates then you need to create multiple cert profile and have multiple authentication rules to direct ISE to the correct cert profile based on what CA issued the cert.
Hope this helps. Craig let me know if I misstated anything. This is how I explain the process to my customers.
