Solved: Certificate Authentication Profile (CAP) option in ISE

bassomarco1998 · ‎01-05-2024

Hello everyone,
I'm studying for the SISE exam, and in the chapter (15) of the OCG about authentication via certificate, there's something I don't quite understand. Within the page where the CAP profile (Certificate Authentication Profile) is created, there's an option called "Identity Store".

What's the purpose of this option?
Thank you.

Karsten Iwen · ‎01-05-2024

UPN and ExternalGroup are two different things.

If you want to use an external group in your authorization policy, this information has to be made available. With only the Authentication, the ISE doesn't know anything about the Windows groups. You specify the Identity store in the CAP to tell the ISE which store to query for these groups (or attributes).

These are the steps the ISE takes:

The Client is authenticated based on the client certificate. No Windows groups or attributes are known.
ISE takes the Identity store from the CAP and uses the configured field from the certificate to query the store.
The Identity store returns the Window groups and attributes for this identity.
Now, the rules in the Authorization policy are evaluated. Here, you can match the external group because these were made available in the previous step.

View solution in original post

Karsten Iwen · ‎01-05-2024

When you use client certificates for authentication, the ISE authenticates the client based on the validity of the client certificate. But with that, you don't know anything yet about the authorization. Yes, you could look into the organizational unit, for example, if there is any helpful information. But your internal PCs have likely all the same OU. Now, you take a field from the certificate that is individual, like the UPN, and query an identity store for authorization. This is like, "Hey, AD, is there a UPN 'karsten@company.com' in your directory? Give me the assigned Windows groups.". AD returns the groups like Marketing, Sales, Admins, and so on, and you have something to use in your authorization policy.

bassomarco1998 · ‎01-05-2024

Thank you for your reply.

However, I believe what you are referring to is the next step, namely using the 'principal username attribute' within the authorization policy (specifically utilizing the 'ExternalGroup' attribute). Please refer to the following image.

I am unclear, though, about the purpose of the Identity Store option within the CAP settings page. If I am verifying the identity within the authorization rule, why do I need to configure an identity source within the CAP settings page?

Karsten Iwen · ‎01-05-2024

UPN and ExternalGroup are two different things.

If you want to use an external group in your authorization policy, this information has to be made available. With only the Authentication, the ISE doesn't know anything about the Windows groups. You specify the Identity store in the CAP to tell the ISE which store to query for these groups (or attributes).

These are the steps the ISE takes:

The Client is authenticated based on the client certificate. No Windows groups or attributes are known.
ISE takes the Identity store from the CAP and uses the configured field from the certificate to query the store.
The Identity store returns the Window groups and attributes for this identity.
Now, the rules in the Authorization policy are evaluated. Here, you can match the external group because these were made available in the previous step.

bassomarco1998 · ‎01-05-2024

Now it's much clearer. Thank you so much.