Cisco Cisco Identity Services Engine 1.3
Password-based machine authentication is very similar to user-based authentication, except if the machine name is in host/prefix
format. This format (which is a DNS namespace) cannot be authenticated as is by Cisco ISE and is converted to NetBIOS-prefixed
SAM format before it is authenticated.
format. This format (which is a DNS namespace) cannot be authenticated as is by Cisco ISE and is converted to NetBIOS-prefixed
SAM format before it is authenticated.
Active Directory Certificate Retrieval for Certificate-Based Authentication
Cisco ISE supports certificate retrieval for user and machine authentication that uses the EAP-TLS protocol. The user or machine
record on Active Directory includes a certificate attribute of the binary data type. This certificate attribute can contain one or more
certificates. Cisco ISE identifies this attribute as userCertificate and does not allow you to configure any other name for this attribute.
Cisco ISE retrieves this certificate and uses it to perform binary comparison.
record on Active Directory includes a certificate attribute of the binary data type. This certificate attribute can contain one or more
certificates. Cisco ISE identifies this attribute as userCertificate and does not allow you to configure any other name for this attribute.
Cisco ISE retrieves this certificate and uses it to perform binary comparison.
The certificate authentication profile determines the field where the username is taken from in order to lookup the user in Active
Directory to be used for retrieving certificates, for example, Subject Alternative Name (SAN) or Common Name. After Cisco ISE
retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are
received, Cisco ISE compares the certificates to check for one that matches. When a match is found, the user or machine authentication
is passed.
Directory to be used for retrieving certificates, for example, Subject Alternative Name (SAN) or Common Name. After Cisco ISE
retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are
received, Cisco ISE compares the certificates to check for one that matches. When a match is found, the user or machine authentication
is passed.
Add a Certificate Authentication Profile
You must create a certificate authentication profile if you want to use the Extensible Authentication Protocol-Transport Layer Security
(EAP-TLS) certificate-based authentication method. Instead of authenticating via the traditional username and password method,
Cisco ISE compares a certificate received from a client with one in the server to verify the authenticity of a user.
(EAP-TLS) certificate-based authentication method. Instead of authenticating via the traditional username and password method,
Cisco ISE compares a certificate received from a client with one in the server to verify the authenticity of a user.
Before You Begin
You must be a Super Admin or System Admin.
Procedure
Step 1
Choose Administration > Identity Management > External Identity Sources > Certificate Authentication Profile
> Add.
> Add.
Step 2
Enter the name and an optional description for the certificate authentication profile.
Step 3
Select an identity store from the drop-down list.
Basic certificate checking does not require an identity source. If you want binary comparison checking for the certificates,
you must select an identity source. If you select Active Directory as an identity source, subject and common name and
subject alternative name (all values) can be used to look up a user.
Basic certificate checking does not require an identity source. If you want binary comparison checking for the certificates,
you must select an identity source. If you select Active Directory as an identity source, subject and common name and
subject alternative name (all values) can be used to look up a user.
Step 4
Select the use of identity from Certificate Attribute orAny Subject or Alternative Name Attributes in the Certificate.
This will be used in logs and for lookups.
If you chooseAny Subject or Alternative Name Attributes in the Certificate, Active Directory UPN will be used as
the username for logs and all subject names and alternative names in a certificate will be tried to look up a user. This option
is available only if you choose Active Directory as the identity source.
This will be used in logs and for lookups.
If you chooseAny Subject or Alternative Name Attributes in the Certificate, Active Directory UPN will be used as
the username for logs and all subject names and alternative names in a certificate will be tried to look up a user. This option
is available only if you choose Active Directory as the identity source.
Step 5
Choose when you want to Match Client Certificate Against Certificate In Identity Store. For this you must select an
identity source (LDAP or Active Directory.) If you select Active Directory, you can choose to match certificates only to
resolve identity ambiguity.
identity source (LDAP or Active Directory.) If you select Active Directory, you can choose to match certificates only to
resolve identity ambiguity.
• Never—This option never performs a binary comparison.
• Only to resolve identity ambiguity—This option performs the binary comparison of client certificate to certificate
on account in Active Directory only if ambiguity is encountered. For example, several Active Directory accounts
matching to identity names from certificate are found.
matching to identity names from certificate are found.
15