Hello,
I am trying to develop understanding of certificate based authentication using EAP-TLS in ISE. My question is do we really need Certificate Authentication Profile (CAP) even if we just only need to perform certificate based authentication and we are not interested in configuring authorization rules based on what field of the certificate has been specified as username in the CAP. I am asking this because I think that probably to do certificate based authentication, ISE just needs to check the validity of certificate and whether it has been signed by a CA which it can check by looking into certificate store. Please let me know if I have wrong concept.
I am keen to know what's the whole purpose of CAP? I read in a book that:
To validate the identity ISE must make sure the credentials are valid. In the case of certificate-based authentications, it must determine whether:
The digital certificate has been issued and signed by a trusted certificate authority (CA).
The certificate has expired (checks both the start and end dates).
The certificate has been revoked.
The client has provided proof of possession.
The certificate presented has the correct key usage, critical extensions, and extended key usage values present.
So in above listed points where is specifically CAP used?
Thanks for taking time to answer.
Regards,
Qamber
