Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
7
Helpful
4
Replies

My concern about ise authentication types

Imran Ahmad
Level 2
Level 2

‎10-31-2013 10:54 AM - edited ‎03-10-2019 09:03 PM

Hi,

Is it possible to bind a certificate to a computer, so that it should be identity of one device only like a mac address?

If it is not possible then can anyone tell wat is diff between a user or certificate based authentication except the encryption capability. Because some one can export his computer certificate and install it onto anyother computer and can then plug that pc into network even if that pc is not authorized. So where is the security?

My other point is  when a staff owns a sigle user-id but he can access using that single user id to access the network from multiple devices simulitanously, my question is why cisco ise allows this?  i must have had atleast  this capability not to allow multiple simulitanous connections using a single id

Any comments

Labels:
0 Helpful
4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-31-2013 12:19 PM

Imran,

Two things,

One, MAC address can easily be spoofed, it's not really a proper means to uniquily idenity a machine.

Second, exporting certificate does is not a problem indeed, but certificate on itself only gived you information about public key, not the private. If you want to make full use of certificate you need to export also the private key.

I do not believe there is a feature in place to logins per-account (with exception of guest users).

However my information might not be up to date, feel free to verify with TAC folks or your SE.

M.

Tarik Admani
VIP Alumni
VIP Alumni
In response to Marcin Latosiewicz

‎10-31-2013 09:29 PM

Hi,

If you are using AD GPO for certificate auto-enrollment, there is an option to NOT allow exportable private keys. If you think your template is incorrect then you will have to come up with a way to securely and safely issue the certificates that will not allow the private keys from being exported.

Thanks,

Tarik Admani

Edited- from now to NOT. sorry for the confusion.

Tarik Admani
*Please rate helpful posts*

Message was edited by: Tarik Admani

Imran Ahmad
Level 2
Level 2
In response to Tarik Admani

‎10-31-2013 11:56 PM

Thanks for your comments

0 Helpful

blenka
Level 3
Level 3

‎11-01-2013 04:43 PM

We do not recommend exporting the private key associated with a  certificate because its value may be exposed. If you must export a  private key, specify an encryption password for the private key. You  will need to specify this password while importing this certificate into  another Cisco ISE server to decrypt the private key.

Cisco ISE allows for a wide range of variables within authorization policies to ensure that only
authorized users can access the appropriate resources when they access the network. The initial release
of Cisco ISE supports only RADIUS-governed access to the internal network and its resources.

So, I hope both the points are restrictiable by ISE.

0 Helpful
Customers Also Viewed These Support Documents