Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2292
Views
6
Helpful
2
Replies

ISE and WLC Certificate Authentication

Go to solution
techguy_cisco
Level 1
Level 1

‎09-14-2020 11:11 AM

Hello,

 

I want to understand the certificate authentication (Only Machine Authentication) through WLC and ISE. About WLC configuration I don't have any question, but about ISE configuration I would like to ask some questions:

 

- Trust certificates: If I have multiples machines at the network inside a domain, I understand that I have not to install all this machine's certificates in the ISE, haven't I? I understand that it would be only necessary to configure as trust the root CA of this certificates, would it be true?

- I understand that Certificate Authentication Profile is configured to define the Certificate's attribute that ISE is going to check.

- In the Identity Source Sequence, it is mandatory to link it to the Certificate Authentication Profile configured previously. Here I am not sure about the Authentication search List, here we can configure an AD association, What would be the utility of this configuration?

- Once we've configured the previous points, we can create the authentication policy specifying that NetworkAccess Eap Authentication has to be EAP-TLS and link this Authentication Policy with the Identity Source Sequence created previously. What is made by ISE at this point? I understand that It only checks if root's CA of client's certificate is trusted and if certificate is valid... but I am not sure.

- In the Authorization Policy, would it be possible to make sentences checking an specific field of client's certificate?

 

I've been checking this guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html#anc12

 

 

Thank you very much.

1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎09-14-2020 02:19 PM

Your understanding is correct for most of it.  For certificate authentication, you only need to have the Root CA/Intermediate CA certificates that issued your clients' certificates.  As long as ISE trusts the Root/Intermediate, then the clients' authentications will pass.  The Certificate Authentication Profile (CAP) is used to identify which field in the certificate will be used as the identity.  If you choose a field here that does not exist in the user machine's certificate, authentication will fail.  You need to choose a field that will allow you to identify the identity of the machine connecting.  "Subject" or "Common Name" is appropriate in most environments.  Very seldom, you may need to use a "Subject Alternative Name" so that attribute lookups into Active Directory work fine.  Just depends on how your certificates are issued/configured.

In the identity source sequence, you select the CAP and then add Active Directory if you wanted to do additional checks for authorization.  For example, authentication only validates that the certificate presented is valid and trusted.  ISE then moves on to the authorization policy.  At that point, you could also check to ensure that the computer identity is a member of Domain Computers before allowing access.  ISE would grab the identity that it captured from the authentication process (Subject, Common Name, or Subject Alternative Name) and use that to do a lookup into Active Directory for group membership.

Finally, you could also check other certificate attributes in your authorization policy such as "Issued By" or "Certificate Template."

View solution in original post

2 Replies 2

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎09-14-2020 02:19 PM

Your understanding is correct for most of it.  For certificate authentication, you only need to have the Root CA/Intermediate CA certificates that issued your clients' certificates.  As long as ISE trusts the Root/Intermediate, then the clients' authentications will pass.  The Certificate Authentication Profile (CAP) is used to identify which field in the certificate will be used as the identity.  If you choose a field here that does not exist in the user machine's certificate, authentication will fail.  You need to choose a field that will allow you to identify the identity of the machine connecting.  "Subject" or "Common Name" is appropriate in most environments.  Very seldom, you may need to use a "Subject Alternative Name" so that attribute lookups into Active Directory work fine.  Just depends on how your certificates are issued/configured.

In the identity source sequence, you select the CAP and then add Active Directory if you wanted to do additional checks for authorization.  For example, authentication only validates that the certificate presented is valid and trusted.  ISE then moves on to the authorization policy.  At that point, you could also check to ensure that the computer identity is a member of Domain Computers before allowing access.  ISE would grab the identity that it captured from the authentication process (Subject, Common Name, or Subject Alternative Name) and use that to do a lookup into Active Directory for group membership.

Finally, you could also check other certificate attributes in your authorization policy such as "Issued By" or "Certificate Template."

Go to solution
techguy_cisco
Level 1
Level 1
In response to Colby LeMaire

‎09-16-2020 07:53 AM

Thank you very much for your help Colby.

0 Helpful
Customers Also Viewed These Support Documents