cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

966
Views
5
Helpful
4
Replies
Highlighted
Beginner

ISE Certificate Authentication Profile: Using LDAP Only to resolve identity ambiguity

Hi

 

For ISE BYOD the certificates are issued and stored internally on ISE.

 

On ISE the BYOD certificate template only allows the Common Name for the certificate to be the UserName.

My users credentials are hosted on an LDAP server so when the user is on-boarding to the BYOD service they are initially authenticated against the employee LDAP server.

 

As part of my security process, when performing EAP cert authentication I wish to confirm that the UserName (the certificate Common Name - CN) is still active/valid on the LDAP server.

 

The Certificate Authentication Profile only allows "Always perform binary comparison" for LDAP servers i.e. assumes that the certificate is stored on the LDAP server which causes the authentication to fail. It does not allow the "Only to resolve identity ambiguity" option.

 

How can I check the UserName is valid on the LDAP server as part of the EAP authentication?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

From past experience, when using a direct LDAP Identity Store, ISE will not extract the name from the certificate’s subject to send it via LDAP for verification. It will only check the certificate validity via binary comparison, therefore the binary comparison option cannot be disabled.

If you cannot store the certificate in LDAP, the options to work around this include using Active Directory integration instead (if AD is your LDAP store) or use a CAP with the Identity Store set to 'not applicable' and use the Authorization Policy to check for a valid user via group membership.

 

Cheers,

Greg

View solution in original post

4 REPLIES 4
Highlighted
VIP Advisor

Try to create an authorization rule that matchs byod endpoints, looks at cn
in the certificate and validate its group membership in AD. If you disable
your users in ad or move them to inactive group then authorization will
fail.

**** please remember to rate useful posts
Highlighted
Cisco Employee

From past experience, when using a direct LDAP Identity Store, ISE will not extract the name from the certificate’s subject to send it via LDAP for verification. It will only check the certificate validity via binary comparison, therefore the binary comparison option cannot be disabled.

If you cannot store the certificate in LDAP, the options to work around this include using Active Directory integration instead (if AD is your LDAP store) or use a CAP with the Identity Store set to 'not applicable' and use the Authorization Policy to check for a valid user via group membership.

 

Cheers,

Greg

View solution in original post

Highlighted

Hi
Thanks for your recommendations.
I will need to test the Certificate Common Name against its LDAP group membership/s.
I have being trying to configure this without success.
I assume this is not testable at the Authentication stage, only the Authorisation?
I have configured the LDAP connection to include the Attributes memberOf and sAMAccountName.
I have configured the condition:
CERTIFICATE:Subject – Common Name CONTAINS Test_LDAP.memberOf

 

I am obviously missing something in my condition. Could you be kind enough to point me in the direction of the correct configuration to test the Cert CN against the LDAP group membership?

 

Thanks in advance.

Highlighted

You don't need to specify in the AuthZ Policy where ISE should look for the identity in the certificate. The attribute you specify in the CAP (Common Name, Subject Alt Name, etc) will be used by ISE for the identity.

In your AuthZ Policy, you would specify the External Group of which the user (or computer) is a member.

Example:

<LDAP_ID_Source>:ExternalGroups EQUALS <LDAP_Group>

 

Cheers,

Greg

Content for Community-Ad