Solved: Re: ISE Certificate-based authentication

john5 · ‎02-02-2019

Hi All,

I have a customer that need to authenticate and authorize endpoints using some advanced certificate fields like extended key usage, organization unit and much more without going to any other external identity source like AD , just from the certificate fields using EAP-TLS.

Is it possible ? If yes is below steps are the right way to do it or there is a missing or wrong piece ?

1- import PKI CA certificate and intermediate certificates as trusted to ISE, and sign the ISE self-signed certificate from the CA.

2- create CAP and will not specify any identity store.

3- create authentication policy to match endpoints certificate with the trusted chain.

4- create authorization policy using fields from certificate, like from organization unit X and departement Y apply that authorization profile and so on.

Peter Koltl · ‎02-09-2019

John,

OU or other field:

not suitable to determine the identity, not suitable for authentication

suitable for conditions in the authorization rules, so you can assign different results for different values

View solution in original post

pan · ‎02-02-2019

For certificate based authentication following options are available:

john5 · ‎02-02-2019

Hi pan,

so there is no way to authenticate and authorize them based on something like organization unit or department or other certificate fields , right ?

bern81 · ‎02-11-2019

Hi John,

Just to add on this.
You can use the Cert attributes fields in the authentication policy to determine let's say if this certificate issuer common name= X then authenticate against this CAP file (you can perform this by using the sub-rule option in the authentication policy).
In the CAP file you don't need to specify an AD to lookup against.
But the Cert field specified in the CAP must exist in the certificate otherwise it will fail + it will perform the checks that Paul mentioned in his reply.
Then in the authorization policy you can also use the cert fields to add an authorization profile with DACL,Vlan ....
I attached this snapshot from my ISE config and it is working fine.

bern81 · ‎02-11-2019

Peter Koltl · ‎02-09-2019

John,

OU or other field:

not suitable to determine the identity, not suitable for authentication

suitable for conditions in the authorization rules, so you can assign different results for different values

paul · ‎02-10-2019

Just to expand on this. Don't confuse authentication and authorization. Each of them act independently.

In the authentication phase, you use an certificate authentication profile (CAP) to tell ISE where to find the identity in the certificate. Usually the general SAN field setting is all you need, i.e. don't specify where in the SAN field. If you don't tie the CAP into AD there is no AD lookup in the authentication phase. All ISE is validating during authentication is:

The cert is issued by a CA ISE trusts for client authentication.
The cert is not expired.
The cert is not revoked.

Once you move to authorization you have the many options available to you. You can use information in the cert (OU, O, etc.) to provide different authorization results. You can also have ISE take the identity pulled during authentication and do an AD lookup for AD group attributes or any other AD attributes you have mapped into ISE.