Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
2
Replies

ISE Cert Auth Profile - Smart Search

nadeekha
Level 1
Level 1

‎07-29-2016 08:17 AM

My customer is still in the pilot phase of ISE deployment- Wired only. / EAP Chaining with NAM.

For the Certificate Auth Profile there is a legacy mode which uses one attribute from the certificate I.e SAN. We now also have smart search that can use all certificate attributes for potential identities.

When we are selecting the Smart Search option (Use Identity from > Any Subject or Alternative Name Attributes in the Certificate (for Active Directory Only) we are experiencing that the overall authentication process from an AD Search perspective is taking much longer and very high auth latency is being experienced. The moment we go back to the Certificate Auth Profile and select the Certificate Attribute to Subject Alternative name we see the latency is reduced considerably. Some how the smart search option is not working as expected. 

Can I have some clarifications about this smart search functionality. Am I doing it wrong? Are there any caveats to consider?

Thanks in advance

Nadeem Khan

0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎07-29-2016 09:30 AM

If you are unable to open a TAC case on this, then we might need to work offline on this. I would need a copy of the sample certificate and AD debug logs with and without smart search.

It could be as simple as missing indices for some attributes. See Performance Tuning for Active Directory Servers - Windows 10 hardware dev

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎08-01-2016 08:11 AM

Slides 114 ~ 118 of What's new in ISE Active Directory connector (2016 Berlin) explains how smart search works. For Cisco internal, you may also look up NPI slides #8 and #10 on AD 1.3 Troubelshooting.

In essence, all subject and subject alternative name fields are extracted from the certificate and used for identity resolution. On the ISE side, this is optimized into a single search by combining all identities in the search filters.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents