Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3447
Views
0
Helpful
14
Replies

ISE certificate based authentication

Go to solution
raksec
Cisco Employee
Cisco Employee

‎05-24-2019 03:45 AM - edited ‎05-24-2019 03:46 AM

Hi,

 

I have a customer who doesn’t have on-prem user directory and CA. They are very much interested in ISE. However, the challenge is to have dot1x authentication.

 

Can we use certificate based authentication for dot1x and configure ISE to act as a CA server and issue certificates to endpoints? I know that ISE issues the certs for BYOD only. But I think we can use certificate provisioning portal to manually download and install the certs to endpoints. So in this case, when the certificates are issued by ISE and dot1x is triggered, how can ISE validate the endpoint’s certificate?

 

P.S. Cucstomer doesn’t want to create local user database in ISE.

 

Thanks,

Rakesh Kumar

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to raksec

‎05-24-2019 10:06 AM

Recommendation would be to setup the ise certificate authority and authorization rules
This will require plus licensing minimum 100 to cover the use of the certificate portal. Unless of course you’re profiling devices as well

Very basic steps here
Step 1 setup CA
step 2 setup authorization rules
If EAP tls then Permit access
If mab then redirect to portal saying you need to be on boarded by an admin?
Step 3 use certificate provisioning portal (see admin guide) to generate certificates
Step 4 install on client and configure supplicant

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-24-2019 04:51 AM

You can certainly do that with ISE. It would work.

How would you validate whose authenticating? One user would be initiating the every download since you aren’t able to authenticate the user using the portal?

What are they using for an identity source? Perhaps a proxy could be setup?

Seems like a lot of manual labor.
0 Helpful

Go to solution
raksec
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎05-24-2019 05:01 AM

Hi Jason,

 

I have been posting a lot of questions these days and all are about the same customer. They have Jumpcloud, which is directory as a service in cloud. I checked with some folks and found that Jumpcloud is not supported/validated. Apart from that, they have G-Suite and JAMF for MAC users. 

 

So if we have admin downloading all the certificates for all the endpoints, the distribution can be done using any other medium. Let's assume that is not a problem. Consider endpoints are having certificates then how ISE would validate them without having AD/LDAP/Local database?

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to raksec

‎05-24-2019 05:19 AM

Consider endpoints are having certificates then how ISE would validate them without having AD/LDAP/Local database?

As long as the internal ISE Chain is in your trusted store in ISE and you confirm they can be used for authentication then there should not be any problems there. ISE will actually maintain record of issued certificates and you can tweak the internal CA settings. The PSNs act as an OCSP responder for the internal ISE CA that will be used to verify. Also, if interested I am pretty sure you can use scep with the internal ISE CA.

HTH!
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎05-24-2019 06:04 AM

I don’t see how this is an issue if they’re not using user name validation and authorization policy. If they’re just validating that the certificate is good from its own internal certificate authority then why wouldn’t that work fine?
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to raksec

‎05-24-2019 05:22 AM

Is there anyway they could automate this with JAMF as an MDM EMM? These have their own CA sometimes as well. They might be able to authenticate to the cloud.

What about some sort of authentication proxy?

I would recommend trying out the certificate provisioning portal to see what’s going on so you understand. But pretty sure that it would work by generating generic certs per endpoint.

You really should think about
0 Helpful

Go to solution
raksec
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎05-24-2019 09:47 AM

Jason, Mike,

 

What you guys are saying that makes sense. So how do we configure this? What's the recommended configuration in ISE to validate endpoint's certificates issued by ISE?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to raksec

‎05-24-2019 10:06 AM

Recommendation would be to setup the ise certificate authority and authorization rules
This will require plus licensing minimum 100 to cover the use of the certificate portal. Unless of course you’re profiling devices as well

Very basic steps here
Step 1 setup CA
step 2 setup authorization rules
If EAP tls then Permit access
If mab then redirect to portal saying you need to be on boarded by an admin?
Step 3 use certificate provisioning portal (see admin guide) to generate certificates
Step 4 install on client and configure supplicant
0 Helpful

Go to solution
raksec
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎05-24-2019 10:31 AM - edited ‎05-24-2019 10:54 AM

So if I understood correctly then step 2 is doing certificate validation and authorizing users? 

If they don't have certs then cert provisioning will be done by step 3 and 4? But how we can have different authorization policies for different set of users?

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to raksec

‎05-24-2019 10:45 AM

You have a variety of options. You just need to decide what conditions in ISE you want to utilize to accomplish both authentication & authorization. Examples:

Authentication policy conditions:
RadiusFlowType EQUALS wired8021x
NetworkAccess:EAPAuthentication EQUALS EAP-TLS

Authorization policy conditions:
CERTIFICATE:Subject Alt Name CONTAINS <your identifier>
NetworkAccess:AuthenticationMethod EQUALS x509_PKI
DEVICE Type EQUALS <your device type group/s>

I suggest playing in ISE with the conditions and/or reviewing guides. HTH!
0 Helpful

Go to solution
raksec
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎05-24-2019 11:25 AM

Thanks Jason and Mike, that was helpful. Will try with different set of conditions.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to raksec

‎05-24-2019 11:31 AM

Those are all the general steps
Per those steps You will need to look at the certificate provisioning portal in the admin guide to generate certs
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to raksec

‎05-24-2019 11:32 AM

You won’t be authenticating users unless again you connect to an external identity source through some sort of proxy or gateway

Our compatible integration points are listed in the ise comparability matrix
0 Helpful

Go to solution
raksec
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎05-24-2019 11:43 AM

Yes Jason, you are right. We won't be able to authenticate users if we do not have a user directory (AD/Local). Using certificates also, ISE will be just able to validate the certs, not users. However, if customer agrees to this then we can have some sort of control on whether someone is having valid credentials. And having some certificate attributes in authorization conditions, ISE can apply different authorization policies to different set of users.

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to raksec

‎05-24-2019 12:01 PM

Right but you want have any user credentialed entered by the user. You would have to populate certificate attributes manually and key off the data in the certificate.
0 Helpful
Top