ISE Certificate Authority Certificate

descalante2007 · ‎06-21-2013

I'm confussed about the certificates:

Some weeks ago a certificate was installed in the ISE to avoid the browser certificate error when the customer access the sponsor portal ...

Now, the customer is requesting to authenticate the sponsor users through LDAPS ... I understand Active Directory or LDAP as External Identity Sources are not secure. So, in order to enable LDAPS we must check the Secure Atuthentication box in the LDAP configuration, but a ROOT CA must be chooseen also.

I understand the ISE should validate the customer PKI in order to validate the user certificate ... Am I right?

Do I need request the customer to provide me the "Certificate Authority Certificate" from its PKI ??

Is it a file completely different to the certificate already loaded in the ISE ??

With this certificate, would the ISE validate the user's computer certificate additional to user and password ??

Would the user must use a computer with certificate in order to access the sponsor portal ??

Thanks in advance.

Regards

Daniel Escalante.

Marcin Latosiewicz · ‎06-22-2013

Daniel,

LDAPS is a connection using SSL over a special port, much like your session to your bank (for example) over HTTPS.

Your browser and/or operating system has already a set of trusted root certificates it can trust.

ISE however does not "know" the certificate authority signing the certificate the LDAP server will present duing SSL exchange. A way for ISE to be able to validate it and know it is to import signing certificate and reference it in the configuration - thus trusting it certifiicate presented in LDAP over SSL exchange.

This "root" certificate is only used in this exchange.

Does that make sense?

M.

descalante2007 · ‎06-24-2013

Thank you for your reply, but I'm still confused.

I think to access the SPONSOR Portal, the client's browser uses https to talk with the ISE. But the ISE use LDAP (UNSECURE) to consult to AD or LDAP External Identity Source ... Am I right?

If yes, my question is how can I secure this communication?

The certificate already installed in the ISE is used only to allow the client (user) to authenticate the ISE itself, but the ISE should authenticate the AD/LDAP server and/or viceversa ... or the communication between ISE and AD/LDAP should be encrypted ...

Using your words , does my reasoning make sense?

Regards.

Saurav Lodh · ‎06-24-2013

Please follow the "secure authentication tab" in the below table( highlighted)

go to >LDAP Connection Settings

Table lists the fields in the LDAP connection tab and their descriptions.

Table : LDAP Connection Tab
Option	Description
Enable Secondary Server	Check this option to enable the secondary LDAP server to be used as a backup in the event that the primary LDAP server fails. If you check this check box, you must enter configuration parameters for the secondary LDAP server.
Primary and Secondary Servers
Hostname/IP	(Required) Enter the IP address or DNS name of the machine that is running the LDAP software. The hostname can contain from 1 to 256 characters or a valid IP address expressed as a string. The only valid characters for hostnames are alphanumeric characters (a to z, A to Z, 0 to 9), the dot (.), and the hyphen (-).
Port	(Required) Enter the TCP/IP port number on which the LDAP server is listening. Valid values are from 1 to 65,535. The default is 389, as stated in the LDAP specification. If you do not know the port number, you can find this information from the LDAP server administrator.
Access	(Required) Anonymous Access—Click to ensure that searches on the LDAP directory occur anonymously. The server does not distinguish who the client is and will allow the client read access to any data that is configured as accessible to any unauthenticated client. In the absence of a specific policy permitting authentication information to be sent to a server, a client should use an anonymous connection. Authenticated Access—Click to ensure that searches on the LDAP directory occur with administrative credentials. If so, enter information for the Admin DN and Password fields.
Admin DN	Enter the DN of the administrator. The Admin DN is the LDAP account that permits searching of all required users under the User Directory Subtree and permits searching groups. If the administrator specified does not have permission to see the group name attribute in searches, group mapping fails for users who are authenticated by that LDAP.
Password	Enter the LDAP administrator account password.
Secure Authentication	Click to use SSL to encrypt communication between Cisco ISE and the primary LDAP server. Verify that the Port field contains the port number used for SSL on the LDAP server. If you enable this option, you must choose a root CA.
Root CA	Choose a trusted root certificate authority from the drop-down list box to enable secure authentication with a certificate. See the "Certificate Authority Certificates" section on page 12-17 and "Adding a Certificate Authority Certificate" section on page 12-19 for information on CA certificates.
Server Timeout	Enter the number of seconds that Cisco ISE waits for a response from the primary LDAP server before determining that the connection or authentication with that server has failed. Valid values are 1 to 300. The default is 10.
Max. Admin Connections	Enter the maximum number of concurrent connections (greater than 0) with LDAP administrator account permissions that can run for a specific LDAP configuration. These connections are used to search the directory for users and groups under the User Directory Subtree and the Group Directory Subtree. Valid values are 1 to 99. The default is 20.
Test Bind to Server	Click to test and ensure that the LDAP server details and credentials can successfully bind. If the test fails, edit your LDAP server details and retest.