Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
1
Helpful
4
Replies

ISE 3.2 active directory authorization condition

jcatanzaro
Level 1
Level 1

‎06-06-2024 07:06 AM

Quick context - ISE 3.2 distributed deployment.  802.1x authentication policy sets have the following as our primary authZ policy for corporate machines:

jcatanzaro_0-1717682598776.png

The question I have is based on the external group condition.  Is ISE looking for a user certificate to pull the identity from and then validate via AD lookup?  Or is it somehow grabbing the windows session credentials instead?

 

Our machines get both machine and user certificates, because we're using the windows native supplicant we just match on the issuer to keep things simpler.  Not sure if that's even the right thing to do, but seems to mostly be working.

 

The reason I ask about how ISE gets the identity to validate against AD is because we're evaluating how we're deploying certificates and whether certain ones are needed or not.

0 Helpful
4 Replies 4

ahollifield
VIP
VIP

‎06-06-2024 09:58 AM

It is pulling the username from the certificate.  Whatever is configured withing your Certificate Authentication Profile selected in the authc.

jcatanzaro
Level 1
Level 1
In response to ahollifield

‎06-06-2024 10:10 AM

ok, so since we're set to "Any Subject or Alternative Name Attributes in the Certificate (for Active Directory Only)" it's taking any identity in the certificate (cn, san etc.) and checking it against AD.  That being the case, if the device presents a machine certificate, it shouldn't pass that rule because the machine would not be a member of domain users.

In most cases it does look like the machine is passing a user cert for this purpose.  However, we have the native supplicant set to "user or machine auth" which it seems like we should be restricting that to user auth since we get the machine validation from the intune check.

There are some cases where we need machine only, but those could probably be configured specifically for that.  Shared workstations on the factory floor as an example.

 

Is there any best practice doc for using the windows native supplicant?

0 Helpful

ahollifield
VIP
VIP
In response to jcatanzaro

‎06-06-2024 10:52 AM

Are we sure the machine use-case is actually occurring?  Or is actually hitting this rule and not a different one?

0 Helpful

jcatanzaro
Level 1
Level 1
In response to ahollifield

‎06-06-2024 10:54 AM - edited ‎06-06-2024 11:05 AM

Yes, there are some machines hitting the machine only rules:

jcatanzaro_0-1717696589436.png

Most of them legitimately presenting machine certificates, some with user identities (contractors) which is something I need to figure out separate from all this.

0 Helpful
Customers Also Viewed These Support Documents