Received this as an email. Answering here:
QUESTION:
We are actually faced with customers demand to authenticate ISE admin users by using client certificates.
I tried out this feature in virtual environment and was neither able to use local fallback user nor switch back to password-based auth.
Can you give us a hint regarding certificate base + local fallback admin access ?
ANSWER:
There is no fail-back from Certificate Auth to Password auth. This is because of the way that SSL Client checking works – when the web page’s SSL is configured to verify the client side & not just have a 1-way trust (normal SSL is client trusts Server, but server ignores client) then the SSL tunnel security the HTTP requires mutual authentication between the client/server.
If that mutual auth fails, the SSL tunnel cannot be formed and the page cannot be displayed in order to fail back to client auth.
-Aaron