Solved: ISE certificate based authentication

raksec · ‎05-24-2019

Hi,

I have a customer who doesn’t have on-prem user directory and CA. They are very much interested in ISE. However, the challenge is to have dot1x authentication.

Can we use certificate based authentication for dot1x and configure ISE to act as a CA server and issue certificates to endpoints? I know that ISE issues the certs for BYOD only. But I think we can use certificate provisioning portal to manually download and install the certs to endpoints. So in this case, when the certificates are issued by ISE and dot1x is triggered, how can ISE validate the endpoint’s certificate?

P.S. Cucstomer doesn’t want to create local user database in ISE.

Thanks,

Rakesh Kumar

Jason Kunst · ‎05-24-2019

Recommendation would be to setup the ise certificate authority and authorization rules
This will require plus licensing minimum 100 to cover the use of the certificate portal. Unless of course you’re profiling devices as well

Very basic steps here
Step 1 setup CA
step 2 setup authorization rules
If EAP tls then Permit access
If mab then redirect to portal saying you need to be on boarded by an admin?
Step 3 use certificate provisioning portal (see admin guide) to generate certificates
Step 4 install on client and configure supplicant

View solution in original post

Jason Kunst · ‎05-24-2019

You can certainly do that with ISE. It would work.

How would you validate whose authenticating? One user would be initiating the every download since you aren’t able to authenticate the user using the portal?

What are they using for an identity source? Perhaps a proxy could be setup?

Seems like a lot of manual labor.

raksec · ‎05-24-2019

Hi Jason,

I have been posting a lot of questions these days and all are about the same customer. They have Jumpcloud, which is directory as a service in cloud. I checked with some folks and found that Jumpcloud is not supported/validated. Apart from that, they have G-Suite and JAMF for MAC users.

So if we have admin downloading all the certificates for all the endpoints, the distribution can be done using any other medium. Let's assume that is not a problem. Consider endpoints are having certificates then how ISE would validate them without having AD/LDAP/Local database?

Mike.Cifelli · ‎05-24-2019

Consider endpoints are having certificates then how ISE would validate them without having AD/LDAP/Local database?

As long as the internal ISE Chain is in your trusted store in ISE and you confirm they can be used for authentication then there should not be any problems there. ISE will actually maintain record of issued certificates and you can tweak the internal CA settings. The PSNs act as an OCSP responder for the internal ISE CA that will be used to verify. Also, if interested I am pretty sure you can use scep with the internal ISE CA.

HTH!

Jason Kunst · ‎05-24-2019

I don’t see how this is an issue if they’re not using user name validation and authorization policy. If they’re just validating that the certificate is good from its own internal certificate authority then why wouldn’t that work fine?

Jason Kunst · ‎05-24-2019

Is there anyway they could automate this with JAMF as an MDM EMM? These have their own CA sometimes as well. They might be able to authenticate to the cloud.

What about some sort of authentication proxy?

I would recommend trying out the certificate provisioning portal to see what’s going on so you understand. But pretty sure that it would work by generating generic certs per endpoint.

You really should think about

raksec · ‎05-24-2019

Jason, Mike,

What you guys are saying that makes sense. So how do we configure this? What's the recommended configuration in ISE to validate endpoint's certificates issued by ISE?

Jason Kunst · ‎05-24-2019

Recommendation would be to setup the ise certificate authority and authorization rules
This will require plus licensing minimum 100 to cover the use of the certificate portal. Unless of course you’re profiling devices as well

Very basic steps here
Step 1 setup CA
step 2 setup authorization rules
If EAP tls then Permit access
If mab then redirect to portal saying you need to be on boarded by an admin?
Step 3 use certificate provisioning portal (see admin guide) to generate certificates
Step 4 install on client and configure supplicant

raksec · ‎05-24-2019

So if I understood correctly then step 2 is doing certificate validation and authorizing users?

If they don't have certs then cert provisioning will be done by step 3 and 4? But how we can have different authorization policies for different set of users?

Mike.Cifelli · ‎05-24-2019

You have a variety of options. You just need to decide what conditions in ISE you want to utilize to accomplish both authentication & authorization. Examples:

Authentication policy conditions:
RadiusFlowType EQUALS wired8021x
NetworkAccess:EAPAuthentication EQUALS EAP-TLS

Authorization policy conditions:
CERTIFICATE:Subject Alt Name CONTAINS <your identifier>
NetworkAccess:AuthenticationMethod EQUALS x509_PKI
DEVICE Type EQUALS <your device type group/s>

I suggest playing in ISE with the conditions and/or reviewing guides. HTH!

raksec · ‎05-24-2019

Thanks Jason and Mike, that was helpful. Will try with different set of conditions.

Jason Kunst · ‎05-24-2019

Those are all the general steps
Per those steps You will need to look at the certificate provisioning portal in the admin guide to generate certs

Jason Kunst · ‎05-24-2019

You won’t be authenticating users unless again you connect to an external identity source through some sort of proxy or gateway

Our compatible integration points are listed in the ise comparability matrix

raksec · ‎05-24-2019

Yes Jason, you are right. We won't be able to authenticate users if we do not have a user directory (AD/Local). Using certificates also, ISE will be just able to validate the certs, not users. However, if customer agrees to this then we can have some sort of control on whether someone is having valid credentials. And having some certificate attributes in authorization conditions, ISE can apply different authorization policies to different set of users.

Jason Kunst · ‎05-24-2019

Right but you want have any user credentialed entered by the user. You would have to populate certificate attributes manually and key off the data in the certificate.