Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8084
Views
21
Helpful
8
Replies

ISE Certificate Local and Certificate Store Certificates

Go to solution
sqambera
Level 1
Level 1

‎11-27-2015 04:02 PM - edited ‎03-10-2019 11:16 PM

Hello,

I am fairly new to ISE and was reading the document in the link below to create understanding of "Local Certificates" and "Certificate Store Certificates". It seems that certificate in former is used to identify ISE on clients and later is used to identify clients on ISE.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_e_man_cert.html#49868

Now, which part of the configuration in ISE tells it to check certificate presented by client into its Certificate Store? I am somehow mixing it up with "Certificate Authentication Profile" that is being used in Identity Source Sequence. But I guess Certificate Authentication Profile is used to verify certificates from an external identity source like AD or LDAP. So where do we bring into consideration "certificate store certificates" in our ISE configuration.

Thanks in advance for helping me out.

Regards,

Qamber 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎11-28-2015 08:54 PM

Hi Qamber-

The Server Certificate (ISE) can be used for for:

1. HTTP/HTTPs - This is for the ISE web server that is used to host various portals (Guest, Sponsor, BYOYD, My Devices, etc). This certificate is usually issued by a public certificate authority such as GoDaddy or VeriSign. A public CA is not required but clients outside your environemnt that do not trust the CA that issued the certificate will get an HTTPs error warning the users that the certificate could not be verified. 

2. EAP - This is for EAP based authentications (EAP-TLS, EAP-PEAP, EAP-PEAP-TLS, etc). This certificate is usually issued by an internal Certificate Authority. The same certificate authority usually issues user and/or machine based certificates that can be used for EAP-TLS type authentications. 

The Certificate Store is used to store the root and intermediate certificates of Certificate Authorities that you want ISE to trust. For instance, if a computer is performing a machine authentication then ISE will need to trust the Certificate Authority that signed/issued the machine certificate. Consequently, the machine will also have to trust the Certificate Authority that issued/signed the ISE server certificate that you coupled to the EAP process.

Teh Certificate Authentication Profile is required if you want to use certificate based authentications. The CAP instructs ISE which attribute from the certificate should be used for the usernmane. Then based on that informaiton you can create more specific authorization profiles/rules. You can also configure CAP to perform a binary certificate comparison with AD and confirm wheather or not the certificate is/was published to AD. 

I hope this helps! 

Thank you for rating helpful posts! 

View solution in original post

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to sqambera

‎12-02-2015 08:47 PM

Hi Qamber and sorry for the delayd reply but I have been busy. In your first example, you were referring to EAP-PEAP. When performing PEAP, only a server certificate is needed. The certificate on the server is needed to build the encrypted tunnel where an innner method (For instance MS-CHAPv2) can be used to pass the actual credentials. In this situation, the client is the one that needs to trust the CA that issued the ISE server. If the client does not trust that CA the creation of the EAP tunnel will fail. 

On the other hand, CAP is utilized for EAP-TLS where both server and client side certificates are used. 

Heve a look at the following documents and youtube video and let me know if you still need something clarified:

https://www.youtube.com/watch?v=pPfwemHBblk

https://support.microsoft.com/en-us/kb/814394

Thank you for rating helpful posts! 

View solution in original post

8 Replies 8

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎11-28-2015 08:54 PM

Hi Qamber-

The Server Certificate (ISE) can be used for for:

1. HTTP/HTTPs - This is for the ISE web server that is used to host various portals (Guest, Sponsor, BYOYD, My Devices, etc). This certificate is usually issued by a public certificate authority such as GoDaddy or VeriSign. A public CA is not required but clients outside your environemnt that do not trust the CA that issued the certificate will get an HTTPs error warning the users that the certificate could not be verified. 

2. EAP - This is for EAP based authentications (EAP-TLS, EAP-PEAP, EAP-PEAP-TLS, etc). This certificate is usually issued by an internal Certificate Authority. The same certificate authority usually issues user and/or machine based certificates that can be used for EAP-TLS type authentications. 

The Certificate Store is used to store the root and intermediate certificates of Certificate Authorities that you want ISE to trust. For instance, if a computer is performing a machine authentication then ISE will need to trust the Certificate Authority that signed/issued the machine certificate. Consequently, the machine will also have to trust the Certificate Authority that issued/signed the ISE server certificate that you coupled to the EAP process.

Teh Certificate Authentication Profile is required if you want to use certificate based authentications. The CAP instructs ISE which attribute from the certificate should be used for the usernmane. Then based on that informaiton you can create more specific authorization profiles/rules. You can also configure CAP to perform a binary certificate comparison with AD and confirm wheather or not the certificate is/was published to AD. 

I hope this helps! 

Thank you for rating helpful posts! 

Go to solution
sqambera
Level 1
Level 1
In response to nspasov

‎11-28-2015 11:45 PM

Hi Neno,

Many Thanks. Very helpful answer indeed.

So would it be correct if for example I say that a user is trying to get authentication through ISE based on username and password. Now when the user machine will contact the ISE for authentication, ISE will first check its certificate store whether it has the the root certificate of the CA that issued the certificate to mahine. This is just to make sure that communication between machine and ISE is secure. Is that right?

Whereas in case of CAP, ISE will look into the external identity source defined in the CAP to verify certificate that has been presented by the client in order to compare it with the certificate in the external identity source. Probably this is called certificate based authentication, isn't?

Thanks again,

Qamber

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to sqambera

‎12-02-2015 08:47 PM

Hi Qamber and sorry for the delayd reply but I have been busy. In your first example, you were referring to EAP-PEAP. When performing PEAP, only a server certificate is needed. The certificate on the server is needed to build the encrypted tunnel where an innner method (For instance MS-CHAPv2) can be used to pass the actual credentials. In this situation, the client is the one that needs to trust the CA that issued the ISE server. If the client does not trust that CA the creation of the EAP tunnel will fail. 

On the other hand, CAP is utilized for EAP-TLS where both server and client side certificates are used. 

Heve a look at the following documents and youtube video and let me know if you still need something clarified:

https://www.youtube.com/watch?v=pPfwemHBblk

https://support.microsoft.com/en-us/kb/814394

Thank you for rating helpful posts! 

Go to solution
sqambera
Level 1
Level 1
In response to nspasov

‎12-03-2015 10:40 AM

Many Thanks Neno. Wonderful answers.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to sqambera

‎12-03-2015 11:07 AM

You are welcome! Glad I could help :) 

Best regards!

0 Helpful

Go to solution
sqambera
Level 1
Level 1
In response to nspasov

‎12-03-2015 12:42 PM

Since you are answering my questions absolutely fantastic, i'll be bothering you with few additional questions :). Sorry about that:

1. I am actually not good at Microsoft. So I am wondering about the client certificates that are used in TLS. I have read that certificates are generated by a machine and then signed by CA and then installed on the machine that generated it. So in case of several Windows clients that are part of a domain and uses TLS how do they get certificates for themselves? Does AD play any role?

2. In one of your response while talking about the Certificate Authentication Profile (CAP) in ISE, you mentioned that "The CAP instructs ISE which attribute from the certificate should be used for the usernmane". Now for example CAP is configured with the Identity Store AD. As far as I know, the AD has information of username coupled with password. So what actually AD does when CAP sends that attribute to it.Does AD have any information other than the username and password of the client?

3. My last question is about EAP Chaining which says it is used to authenticate both machine and the uer. So what's meant by machine authentication? Like if we are using AD for authentication, which again I assume has only username and password information in it what it does in case of EAP chaining. Does machine authentication has anything to do with certificate?

Thanks a lot for taking time to help me out.

Regards,

Qamber

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to sqambera

‎12-08-2015 01:22 PM

No problem. I will try to answer as much as I can :)

#1:

So, a CSR (Certificate Singing Request) is needed before a machine and/or a user to get a certificate. The CSR is then submitted to the issuing Certificate Authority. Once the issuing CA issues the certificate it can then be taken/given to the user/machine. This whole process can be manual or automated if the machine/user are part of AD. AD, via GPO and Auto Enrollment can automate this process. If the machine/user is not part of AD and/or is a device that cannot be part of AD (OSX, Android, etc) then this process becomes manual unless you use another tool to provision those devices with a certificate. Such tool can be ISE and its Native Supplicant Provisioning capabilities or an MDM (Mobile Device Management) solution such as Mobile Iron, Airwatch, etc.

#2:

With EAP-TLS the Certificate Authentication Profile is the identity store and not AD :) It is the client certificate that ISE will use to authenticate the machine/user. Have a look at the following link that explains EAP-TLS deployment:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

#3:

Your domain machine also has domain credentials (username and password) similar to how your a domain user would. You can go to your AD, find a computer account and right click on it and you will see that you can disable it (the same way you would disable a user account). By default, the Windows Native Supplicant can perform either Machine or User authentication but not both. If you want to perform both (confirm that the user is a domain user and that the machine is a domain machine) then you will have to use EAP-Chaining which is dependent on using the AnyConnect supplicant instead of the Windows Native Supplicant.

I hope this helps! 

Go to solution
sqambera
Level 1
Level 1
In response to nspasov

‎12-08-2015 08:07 PM

Thanks a lot Neno. Superb explanation.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents