Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
0
Helpful
2
Replies

ISE Deployment

Go to solution
henokk601
Level 2
Level 2

‎09-25-2019 12:22 AM

For my ISE deployment, i want to use certificate-based authentication for all my Windows machines  By default, certificate-based authentication does not check the certificate against Active Directory, or requires credentials from the user. This essentially means that no groups are returned as part of the authentication request. what can i do in order the user be authorized based on Active Directory group membership?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎09-26-2019 10:18 PM

Hi @henokk601 

 

In EAP-TLS authentication you create a CAP (Certificate Authentication Profile) and this determines what ISE will do with the client cert that is presented by the supplicant (Windows PS in your case).  

You can do things like extract the Subject CN (Common Name) from the client cert and then have it looked up in AD to see whether that AD Account is active/exists etc.  Furthermore, when you do that, you can then use the AD Groups and Attributes returned from the AD lookup in your ISE Authorization Profiles to check whether that AD Account is a member of xyz Security Group or whatever else you want to check.

 

Hope that helps

View solution in original post

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-27-2019 09:19 AM

It sounds like you are you trying to authenticate just your computers via eap-tls and utilize AD sec groups to push Authz policy.  However, if you intend on incorporating auth for both users and computers you will need to focus efforts on using NAM for eap-chaining.  IMO using native supplicant is typically easier to use, and manage.  If you are simply doing computer auth only focus on what @Arne Bier mentioned as he shared valuable comments.  Also, keep in mind that you can deploy native supplicant configuration via GPOs.  Good luck!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎09-26-2019 10:18 PM

Hi @henokk601 

 

In EAP-TLS authentication you create a CAP (Certificate Authentication Profile) and this determines what ISE will do with the client cert that is presented by the supplicant (Windows PS in your case).  

You can do things like extract the Subject CN (Common Name) from the client cert and then have it looked up in AD to see whether that AD Account is active/exists etc.  Furthermore, when you do that, you can then use the AD Groups and Attributes returned from the AD lookup in your ISE Authorization Profiles to check whether that AD Account is a member of xyz Security Group or whatever else you want to check.

 

Hope that helps

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-27-2019 09:19 AM

It sounds like you are you trying to authenticate just your computers via eap-tls and utilize AD sec groups to push Authz policy.  However, if you intend on incorporating auth for both users and computers you will need to focus efforts on using NAM for eap-chaining.  IMO using native supplicant is typically easier to use, and manage.  If you are simply doing computer auth only focus on what @Arne Bier mentioned as he shared valuable comments.  Also, keep in mind that you can deploy native supplicant configuration via GPOs.  Good luck!

0 Helpful
Customers Also Viewed These Support Documents