cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11377
Views
9
Helpful
6
Replies
Beginner

Certificate based authentication in ISE

Hello,

I am trying to develop understanding of certificate based authentication using EAP-TLS in ISE. My question is do we really need Certificate Authentication Profile (CAP) even if we just only need to perform certificate based authentication and we are not interested in configuring authorization rules based on what field of the certificate has been specified as username in the CAP. I am asking this because I think that probably to do certificate based authentication, ISE just needs to check the validity of certificate and whether it has been signed by a CA which it can check by looking into certificate store. Please let me know if I have wrong concept.

I am keen to know what's the whole purpose of CAP? I read in a book that:

To validate the identity ISE must make sure the credentials are valid. In the case of certificate-based authentications, it must determine whether:

Image The digital certificate has been issued and signed by a trusted certificate authority (CA).

Image The certificate has expired (checks both the start and end dates).

Image The certificate has been revoked.

Image The client has provided proof of possession.

Image The certificate presented has the correct key usage, critical extensions, and extended key usage values present.

So in above listed points where is specifically CAP used?

Thanks for taking time to answer.

Regards,

Qamber

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi Qamber, I will try to

Hi Qamber, I will try to answer your points as best as I can :)

#1) I am not really sure on what the ISE mechanics are when it comes to the CAP. However, this is a snip-it from Cisco's Design Guide:

Certificate authentication profiles (CAP)s are used in authentication policies for certificate-based authentications. The CAP defines certain attributes in the certificate to view & use as an additional identity source. For example, if the username is in the CN= field of the certificate, you will create a CAP that examines the CN= field. That data may then be used and checked against other identity sources, such as Active Directory

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_60_byod_certificates.pdf

#2) You should be able to define a CAP and use it as an Identity Store without the need to place it in a Sequence. I have done this many times and just re-confirmed that it is possible in my lab. Please check again :)

#3) An Identity Store Sequence allows you to examine more than one Identity Store. In addition, it defines defines in which order Identity Sources are queried. Once a match is found, the process stops and information is returned to ISE.

Thank you for rating helpful posts!

6 REPLIES 6
Cisco Employee

Hello Qamber,

Hello Qamber,

CAP is needed as it needs to be referenced as an Identity Store for your Authentication policy. Without having CAP configured you will only be able to reference ISE's internal stores and any other identity stores (if configured) such as Active Directory, LDAP, etc.

I hope this helps!

Thank you for rating helpful posts!

Beginner

Thanks Neno. If CAP is used

Thanks Neno. If CAP is used as identity store for authentication policy then:

1. we know that identity store is used for verifying authentication credentials. How CAP is used for verifying authentication credentials? because when we configure CAP we just have to specify which field of the certificate would be used as principal username. What happens afterwards? for example when we perform authentication based on username and password the ISE checks in AD whether those credentials exist or not. Where and what does ISE check in case of CAP. I want to know how certificate is checked by ISE.

2. If CAP is an identity store why we can only use it in identity source sequence? Why we cannot use it in an authentication rule alone like we can do AD or internal identity source.

3. What happens when in an identity source sequence that is being used in an authentication rule a CAP is specified along with other identity sources. How authentication process works in such scenario?

Thanks a lot for taking time to help me understand it. 

Best regards,

Qamber

Cisco Employee

Hi Qamber, I will try to

Hi Qamber, I will try to answer your points as best as I can :)

#1) I am not really sure on what the ISE mechanics are when it comes to the CAP. However, this is a snip-it from Cisco's Design Guide:

Certificate authentication profiles (CAP)s are used in authentication policies for certificate-based authentications. The CAP defines certain attributes in the certificate to view & use as an additional identity source. For example, if the username is in the CN= field of the certificate, you will create a CAP that examines the CN= field. That data may then be used and checked against other identity sources, such as Active Directory

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_60_byod_certificates.pdf

#2) You should be able to define a CAP and use it as an Identity Store without the need to place it in a Sequence. I have done this many times and just re-confirmed that it is possible in my lab. Please check again :)

#3) An Identity Store Sequence allows you to examine more than one Identity Store. In addition, it defines defines in which order Identity Sources are queried. Once a match is found, the process stops and information is returned to ISE.

Thank you for rating helpful posts!

Beginner

Many thanks Neno for your

Many thanks Neno for your time and effort to answer my questions. Specially for verifying with lab. I'd probably be bothering you later with more questions :)

Cisco Employee

No problem! Glad I was able

No problem! Glad I was able to help! :)

Highlighted
Contributor

Re: Certificate based authentication in ISE

Without a Certificate Authentifacion Profile ISE tries only password-based authentication methods and does not attempt to authenticate the session with a certificate.