08-01-2018 04:50 PM
Hi Folks,
We are working for a customer for ISE POC, standalone node running in 2.3. Basically the use case is if the customer copy the certificate from their machine and install in different machine, the ISE should need to access reject/prevent authentication for the new machine or generate some kind of alert saying the certificate is duplicated or copied? Can we do demo this test case?
Any help here.
Solved! Go to Solution.
08-01-2018 07:18 PM
If you are able to successfully export the private key of a user's certificate, then you have a security issue. Client based certificates should always be made to be non-exportable.
If you have a situation where this is not done then you have shot yourself in the foot, because ISE will not, and cannot tell the difference between client A sending cert X, and client B sending cert X. Unless of course you're clever enough to include something like a MAC address into the SAN. But then client B could clone Client A's MAC address ... so that's not fool proof either.
The point it is: private key is supposed to reside on one client machine, and one client machine only. If you prevent this from leaking out then you have a proper solution.
08-01-2018 07:18 PM
If you are able to successfully export the private key of a user's certificate, then you have a security issue. Client based certificates should always be made to be non-exportable.
If you have a situation where this is not done then you have shot yourself in the foot, because ISE will not, and cannot tell the difference between client A sending cert X, and client B sending cert X. Unless of course you're clever enough to include something like a MAC address into the SAN. But then client B could clone Client A's MAC address ... so that's not fool proof either.
The point it is: private key is supposed to reside on one client machine, and one client machine only. If you prevent this from leaking out then you have a proper solution.
08-01-2018 07:25 PM
08-01-2018 08:24 PM
08-01-2018 08:51 PM
Thanks Everyone. Yeah, we have told the customer the same thing, anyhow they wont do this thing in production, but the test case has been written by their red team to see how NAC server prevent such scenarios in case if something similar happened.
08-01-2018 09:13 PM - edited 08-01-2018 09:14 PM
At a technical level, there is nothing that can be done to detect or prevent this. Doesn't matter what vendor Radius server is used. The "cloned" cert is an identical copy and is indistinguishable from the "original". So you would need to invent some clever policy to try and tell them apart (this is why I mentioned baking the MAC address into the Subject CN (not the SAN ... my bad)) - if you had MAC address in Subject CN then the rogue client's MAC address would differ and ISE could catch this by comparing Calling-Station-Id with the cert Subject CN. But any clever hacker would clone the MAC address anyway. So it's a futile effort.
There is no 100% reliable way to detect this situation. In my opinion it's not a valid test case - but I stand to be corrected.
08-02-2018 06:27 AM
In Windows the private key cant be exported and the certificate is more secured, but in the case of MAC OS we can simply export the key through keychain access, right?. Basically they are testing this use case for MAC OS. They have considerable number of MAC laptop on their network.
08-02-2018 02:51 PM
I don't know whether it's any easier to export the private key in MACOS. But let's say it is ... then the test is still pointless because you cannot discern between two clients who have the same cert. No radius server will stand a chance.
Sharing the same cert on multiple machines is not a bad idea in all cases though. In the client case it's bad news because the Authenticating Server (ISE) is being duped.
But in the Authenticating Server use case it's actually very helpful and used in practice. If you had 10 ISE nodes then you can re-use the same cert on each server.
08-01-2018 10:21 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: