Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
1
Replies

ISE - Identify Realm from EAP-TLS header

rshehov
Cisco Employee
Cisco Employee

‎02-21-2019 02:43 AM - edited ‎03-08-2019 07:13 PM

Hi all,

 

I hope everyone is doing great. 

 

I was wondering if I can get help in regards of ISE and Proxy authentication. Is it possible ISE to identify the realm in EAP-TLS header in order to decide where to sent the request for authentication ? If this is possible could I get explanation on how to do it ? 

 

Additional info: 

 

The authentication will be via machine auth, with certificates on the PCs. We are ideally looking for ISE to identify the realm from the EAP-TLS outer header information, and via some sort of lookup logic then proxy the EAP request to a particular back-end RADIUS server (likely to be Microsoft NPS in front of AD) in the appropriate tenant’s network. The aim here is for the EAP session not to terminate on ISE but to be carried through to the back-end RADIUS server. "

 

Many thanks for your input in advance.

 

Regards

 

Ross

 

 

0 Helpful
1 Reply 1

paul
Level 10
Level 10

‎02-21-2019 08:54 AM

There is no actual authentication against an external identity when doing EAP-TLS.  ISE will validate the certificate is from a trusted CA that has trust for client authentication enabled and validate the certificate is not revoked assuming you have CRL/OCSP properly configured. 

 

What you can do in the authentication phase is have ISE extract the identity from the cert and check to see if the identity is a valid AD account, but this is not authentication.  There is no computer password being passed like with PEAP.  The check there is done via AD joins so your ISE deployment would have to be joined to each tenants' AD environment.  You would have a different certificate authentication profile (CAP) for each tenant that references their AD connection.  Then you can use certificate attributes to determine which CAP to use.

 

If you don't do AD checks during the authentication phase you could do checks in the authorization phase possible using LDAP connections if you don't want to join the ISE deployment to the tenants' AD environment. 

 

There may be other options, but someone will correct me if I missed any.

0 Helpful
Customers Also Viewed These Support Documents