Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
22524
Views
14
Helpful
6
Replies

Certificate based authentication in ISE

Go to solution
sqambera
Level 1
Level 1

ā€Ž03-30-2016 02:53 PM - edited ā€Ž03-10-2019 11:37 PM

Hello,

I am trying to develop understanding of certificate based authentication using EAP-TLS in ISE. My question is do we really need Certificate Authentication Profile (CAP) even if we just only need to perform certificate based authentication and we are not interested in configuring authorization rules based on what field of the certificate has been specified as username in the CAP. I am asking this because I think that probably to do certificate based authentication, ISE just needs to check the validity of certificate and whether it has been signed by a CA which it can check by looking into certificate store. Please let me know if I have wrong concept.

I am keen to know what's the whole purpose of CAP? I read in a book that:

To validate the identity ISE must make sure the credentials are valid. In the case of certificate-based authentications, it must determine whether:

Image The digital certificate has been issued and signed by a trusted certificate authority (CA).

Image The certificate has expired (checks both the start and end dates).

Image The certificate has been revoked.

Image The client has provided proof of possession.

Image The certificate presented has the correct key usage, critical extensions, and extended key usage values present.

So in above listed points where is specifically CAP used?

Thanks for taking time to answer.

Regards,

Qamber

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to sqambera

ā€Ž04-02-2016 09:33 AM

Hi Qamber, I will try to answer your points as best as I can :)

#1) I am not really sure on what the ISE mechanics are when it comes to the CAP. However, this is a snip-it from Cisco's Design Guide:

Certificate authentication profiles (CAP)s are used in authentication policies for certificate-based authentications. The CAP defines certain attributes in the certificate to view & use as an additional identity source. For example, if the username is in the CN= field of the certificate, you will create a CAP that examines the CN= field. That data may then be used and checked against other identity sources, such as Active Directory

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_60_byod_certificates.pdf

#2) You should be able to define a CAP and use it as an Identity Store without the need to place it in a Sequence. I have done this many times and just re-confirmed that it is possible in my lab. Please check again :)

#3) An Identity Store Sequence allows you to examine more than one Identity Store. In addition, it defines defines in which order Identity Sources are queried. Once a match is found, the process stops and information is returned to ISE.

Thank you for rating helpful posts!

View solution in original post

6 Replies 6

Go to solution
nspasov
Cisco Employee
Cisco Employee

ā€Ž04-01-2016 07:24 PM

Hello Qamber,

CAP is needed as it needs to be referenced as an Identity Store for your Authentication policy. Without having CAP configured you will only be able to reference ISE's internal stores and any other identity stores (if configured) such as Active Directory, LDAP, etc.

I hope this helps!

Thank you for rating helpful posts!

Go to solution
sqambera
Level 1
Level 1
In response to nspasov

ā€Ž04-01-2016 11:23 PM

Thanks Neno. If CAP is used as identity store for authentication policy then:

1. we know that identity store is used for verifying authentication credentials. How CAP is used for verifying authentication credentials? because when we configure CAP we just have to specify which field of the certificate would be used as principal username. What happens afterwards? for example when we perform authentication based on username and password the ISE checks in AD whether those credentials exist or not. Where and what does ISE check in case of CAP. I want to know how certificate is checked by ISE.

2. If CAP is an identity store why we can only use it in identity source sequence? Why we cannot use it in an authentication rule alone like we can do AD or internal identity source.

3. What happens when in an identity source sequence that is being used in an authentication rule a CAP is specified along with other identity sources. How authentication process works in such scenario?

Thanks a lot for taking time to help me understand it. 

Best regards,

Qamber

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to sqambera

ā€Ž04-02-2016 09:33 AM

Hi Qamber, I will try to answer your points as best as I can :)

#1) I am not really sure on what the ISE mechanics are when it comes to the CAP. However, this is a snip-it from Cisco's Design Guide:

Certificate authentication profiles (CAP)s are used in authentication policies for certificate-based authentications. The CAP defines certain attributes in the certificate to view & use as an additional identity source. For example, if the username is in the CN= field of the certificate, you will create a CAP that examines the CN= field. That data may then be used and checked against other identity sources, such as Active Directory

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_60_byod_certificates.pdf

#2) You should be able to define a CAP and use it as an Identity Store without the need to place it in a Sequence. I have done this many times and just re-confirmed that it is possible in my lab. Please check again :)

#3) An Identity Store Sequence allows you to examine more than one Identity Store. In addition, it defines defines in which order Identity Sources are queried. Once a match is found, the process stops and information is returned to ISE.

Thank you for rating helpful posts!

Go to solution
sqambera
Level 1
Level 1
In response to nspasov

ā€Ž04-02-2016 10:59 PM

Many thanks Neno for your time and effort to answer my questions. Specially for verifying with lab. I'd probably be bothering you later with more questions :)

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to sqambera

ā€Ž04-02-2016 11:11 PM

No problem! Glad I was able to help! :)

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

ā€Ž03-25-2019 10:20 AM

Without a Certificate Authentifacion Profile ISE tries only password-based authentication methods and does not attempt to authenticate the session with a certificate.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents