Hi,

   Although not a common scenario, you should be able to make it work as follows:

1. Ensure your CAP / Certificate Authentication Profile does not rely on AD for the authentication phase; when you create the CAP, leave the Identity field empty, to prevent ISE from performing an AD query/lookup; also ensure that "Binary Comparison" option is unchecked, to also prevent ISE perform AD lookup during authentication phase; ensure to configure which certificate attribute / field you want ISE to use as Identity, ideally pick something which is not specific to an endpoint (like CN or SAN), rather pick a filed which has the same value for all certificate issued to any endpoint.

2. When configuring authorization policy, ensure you don't use AD lookup as condition, rather use a certificate match criteria that matches on whatever certificate attribute you've mentioned in previous step as Identity.

Least but not last, ensure that the building the above, you're not matching on other requests that might reach ISE, so you're not accidentally authenticating and authorising other endpoint as well.

Thanks,

Cristian.

Hi @Rob Ingram @Cristian Matei 

My CAP is configured as per attachment and there is no option to "exclude" such AD lookup as far as I can tell..

However, even though I can see in log entries that processing is trying to query domain for an identity check:

Please note that obviously we use ISE and AD integration for other use cases so identity check is required normally, but trying to fit in with other use case to simply authorize specific clients based on certificate attribute (SAN entry) to verify just validity/trust of such client based on certificate and if so, than authorization policy should assign correct VLAN for the client...

I don't have policy rule with condition to refer to AD lookup. Well at least not that i would be aware of.

I know ISE is a beast though I would normally expect in CAP to simply say "don't validate identity" to keep it simple, though not simple as that. 

Hi, yes I have a client to test this policy with and I can always see in log details (steps) involving identity lookup which shouldn't be happening, to my understanding.

Policy is quite simple.

Policy matching criteria is based on Wired_802.1X using TLS so client and server (ISE) needs to trust each other.

In authentication part there is "Network Access:AuthenticationMethod = x509_PKI" checking content of the SAN entry within certificate presented by client. The authentication part looks to succeed..

And within Authorization part, it looks matching rule is missed. Though, still it jsut check SAN entry for specific content and doing "Network Access: EapAuthentication = EAP-TLS" with specic authorization results to assign such client to vlan X.

It is just that simple and that is why I'm not sure where it Identity lookup is comming from as I have not specified it to what I can tell So either, ISE always tries to do identity lookup and has no influence on the actual processing result or it does influence result somehow while using TLS and 802.1X.

I can give a try, though this would be quite unfortunate as Windows 11 are by nature manage through EntraID and therefore are not part of internal domain ISE uses for identity lookups...That is the reason why we are looking into verification of the certificate and specific SAN content with hope ISE will not do identity lookup! Otherwise it might be quite difficult to find anything else as certificate is the thing to be used for client validation without AD identity lookup.

I can try to test next week hopefully Worst case I can crosscheck with TAC if assumption is correct or not. Thank you