Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4260
Views
5
Helpful
5
Replies

ISE binary comparison

Go to solution
donnie
Level 1
Level 1

‎12-26-2019 08:54 PM

Hi all,

 

I am using ise 2.4 with windows AD for my environment's 802.1x

I am using both user and machine cert authentication. I have also enabled the option "always perform binary comparison" for both my user and machine cert authentication profile.

 

With reference to the following taken from (https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html), how does ISE retrieve the cert from my AD?

 

"The certificate authentication profile determines the field where the username is taken from in order to lookup the user in Active Directory to be used for retrieving certificates, for example, Subject Alternative Name (SAN) or Common Name. After Cisco ISE retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, Cisco ISE compares the certificates to check for one that matches. When a match is found, the user or machine authentication is passed."

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-26-2019 09:38 PM

Hi

If you go into your AD users console, and you enable advanced features from the view menu, then you go to your user for example, you should see a tab "published certificates" and see the actual user certificate. This is an attribute you can get from a ldap search and this is the info ISE gets to do a binary comparison between the one retrieved from AD and the one presented by the user.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-26-2019 09:38 PM

Hi

If you go into your AD users console, and you enable advanced features from the view menu, then you go to your user for example, you should see a tab "published certificates" and see the actual user certificate. This is an attribute you can get from a ldap search and this is the info ISE gets to do a binary comparison between the one retrieved from AD and the one presented by the user.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
donnie
Level 1
Level 1
In response to Francesco Molino

‎12-26-2019 11:59 PM

Hi Francesco,

 

Thank you very much for your advise. Indeed my user AD objects has "published certificates" tab but my computer objects doesn't. And the binary comparison option is enabled for my machine authentication profile which my machines is able to perform successfully. Any reason why?  

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to donnie

‎12-29-2019 05:24 PM

There's also a mapping between the machine account and the machine certificate.
I believe you can see it using adsi edit if I'm not mistaken but sure the mapping is there and fetched using ldap by ise

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
tonyang
Level 1
Level 1
In response to Francesco Molino

‎10-23-2023 02:18 AM

Hello Francesco,

I have same problem too. Would you please kindly advise which attribute is used for ldap fetching in AD ? Thank you.

0 Helpful

Go to solution
fitera8889
Level 1
Level 1

‎02-04-2023 09:25 AM

I appreciate your advice very lot. Although my computer objects lack the "published certificates" tab, my user AD objects do. Additionally, the binary comparison option is enabled for my machine authentication profile, and my machines can successfully complete it. Can you explain why this is helpful?
Regards: binary options signals free

0 Helpful
Customers Also Viewed These Support Documents