cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

191
Views
0
Helpful
1
Replies
rshehov
Cisco Employee

ISE - Identify Realm from EAP-TLS header

Hi all,

 

I hope everyone is doing great. 

 

I was wondering if I can get help in regards of ISE and Proxy authentication. Is it possible ISE to identify the realm in EAP-TLS header in order to decide where to sent the request for authentication ? If this is possible could I get explanation on how to do it ? 

 

Additional info: 

 

The authentication will be via machine auth, with certificates on the PCs. We are ideally looking for ISE to identify the realm from the EAP-TLS outer header information, and via some sort of lookup logic then proxy the EAP request to a particular back-end RADIUS server (likely to be Microsoft NPS in front of AD) in the appropriate tenant’s network. The aim here is for the EAP session not to terminate on ISE but to be carried through to the back-end RADIUS server. "

 

Many thanks for your input in advance.

 

Regards

 

Ross

 

 

1 REPLY 1
paul
Advocate

There is no actual authentication against an external identity when doing EAP-TLS.  ISE will validate the certificate is from a trusted CA that has trust for client authentication enabled and validate the certificate is not revoked assuming you have CRL/OCSP properly configured. 

 

What you can do in the authentication phase is have ISE extract the identity from the cert and check to see if the identity is a valid AD account, but this is not authentication.  There is no computer password being passed like with PEAP.  The check there is done via AD joins so your ISE deployment would have to be joined to each tenants' AD environment.  You would have a different certificate authentication profile (CAP) for each tenant that references their AD connection.  Then you can use certificate attributes to determine which CAP to use.

 

If you don't do AD checks during the authentication phase you could do checks in the authorization phase possible using LDAP connections if you don't want to join the ISE deployment to the tenants' AD environment. 

 

There may be other options, but someone will correct me if I missed any.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (50%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel