cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1506
Views
3
Helpful
1
Replies

Q: Is there a way to fall back from Cert-Based Admin Authentication to Username Password

Aaron Woland
Cisco Employee
Cisco Employee

Received this as an email.  Answering here:

QUESTION:

We are actually faced with customers demand to authenticate ISE admin users by using client certificates.

I tried out this feature in virtual environment and was neither able to use local fallback user nor switch back to password-based auth.

Can you give us a hint regarding certificate base + local fallback admin access ?

ANSWER:

There is no fail-back from Certificate Auth to Password auth.  This is because of the way that SSL Client checking works – when the web page’s SSL is configured to verify the client side & not just have a 1-way trust (normal SSL is client trusts Server, but server ignores client) then the SSL tunnel security the HTTP requires mutual authentication between the client/server.

If that mutual auth fails, the SSL tunnel cannot be formed and the page cannot be displayed in order to fail back to client auth.


-Aaron

1 Reply 1

hslai
Cisco Employee
Cisco Employee

Once cert-auth configured for ISE admin web UI access, the only way to fall back is to stop ISE and restart it with "safe" mode at ISE admin CLI. See application start

application stop ise

application start ise safe