Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
1
Replies

Missing Feature in ISE? Checking Certificate Attributes against internal user database

Nico Bellack
Level 1
Level 1

‎02-01-2017 09:01 AM - edited ‎03-11-2019 12:25 AM

Hi,

we have some ACS Deployments and they work good for us. But after the EoL announcement of the ACS we began to test the ISE. Much to our surprise we found out, that the ISE obviously don't support certificate-based user authentication against the internal user database. In ACS you can configure an identity store with a Certificate Authentication Profile which is independend from any directory. In ISE you have to configure a Certificate Authentication Profile with an AD Join Point. Otherwise there is no certificate checking.

Does anybody know, wether this feature is on the roadmap or wether there is a workaround to use certificate-based authentication without external directories?

We only want to check the common name against the user names. There is no need for us to bit compare the certificates.

Greetz

Nico

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Peter Cresswell
Level 5
Level 5

‎02-28-2017 11:22 AM

I have just come across the same problem today. We had been using MIC cert auth for cisco phones, and authorising them against internal user group. We don't want to allow unknown cisco phones on-net...

I'd be interested to hear of an alternative method to achieve this if anyone has an idea? We don't want to add accounts to AD because it has a licensing impact for some other systems...

Peter

0 Helpful
Customers Also Viewed These Support Documents