cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6451
Views
5
Helpful
8
Replies

Certificate Check Workflow in ISE

grleeson
Cisco Employee
Cisco Employee

Hello,

I have a question regarding what exactly ISE checks against when doing certificate authentication.  In particular, does ISE check key usage on trusted certificates.  Does anyone have a process flow, e.g., first check is to verify the cert was signed by a trusted authority, second check is that it is valid after this date and before that date, third check, etc... then check number X is that the client certificate has Client Authentication key usage, and the trusted authority has Cert Signing key usage.

Thanks for any help on this!

Greg

1 Accepted Solution

Accepted Solutions

Requirements for CA to Interoperate with Cisco ISE

says,

...

  • Key usage should allow signing and encryption in extension.

...

View solution in original post

8 Replies 8

hslai
Cisco Employee
Cisco Employee

The steps in ISE authentication detailed reports should tell how endpoints are authenticated and authorized.

For example, the following go through the TLS exchanges and TLS handshake won't succeed unless ISE EAP server trusting the client certificates' root CA certificate.

12501 Extracted EAP-Response/NAK requesting to use EAP-TLS instead
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge

The following shows checks on expiration.

15048 Queried PIP - CERTIFICATE.Is Expired
15048 Queried PIP - CERTIFICATE.Days to Expiry

paul
Level 10
Level 10

I don't think ISE checks for extended key usage on the cert to ensure client authentication is enabled, but never tested that.  The 802.1x supplicant should only be using certs with client auth EKU enabled.

I usually tell customers ISE at a minimum will do the following

  1. Has the cert been issued by one of the trusted CA certs loaded into ISE that have the "Trust for client authentication and syslog" option set.  ISE will not authenticate certs from any CA loaded into ISE only the ones with that option checked.
  2. Is the cert valid, i.e. not expired.

Optionally, if configured ISE will also do CRL or OCSP revocation checking.

If the certificate profile used in authentication is tied to AD the ISE will ensure the identity in the certificate is present in AD.

hslai
Cisco Employee
Cisco Employee

When I first tested SCEP for ISE BYOD, I used a wrong template so the client certificate did not have client auth and failed EAP-TLS.

Supported Cipher Suites shows

Validate KeyUsage

Client certificate should have KeyUsage=Key Agreement and ExtendedKeyUsage=Client Authentication for the following ciphers:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384
Validate ExtendedKeyUsage Client certificate should have KeyUsage=Key Encipherment and ExtendedKeyUsage=Client Authentication for the following ciphers:
  • AES256-SHA256
  • AES128-SHA256
  • AES256-SHA
  • AES128-SHA
  • DHE-RSA-AES128-SHA
  • DHE-RSA-AES256-SHA
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES256-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA
  • EDH-RSA-DES-CBC3-SHA
  • DES-CBC3-SHA
  • RC4-SHA
  • RC4-MD5

Server certificate should have ExtendedKeyUsage=Server Authentication

Nice. That is good to know.

Sent from my iPhone

grleeson
Cisco Employee
Cisco Employee

Thanks for the input.  Specifically what I'm looking for is whether ISE checks if a trusted certificate has the Cert Signing EKU.

What prompted the question was configuring 802.1x on phones with CUCM.  The CAPF certificate on Call Manager was signed using the Web Server template, instead of the Sub-CA template, so it didn't have the Cert Signing EKU.  Needless to say, things didn't work.

What I suspect was going on, (but I can't verify without a packet capture from the failed requests), is that the LSC certs that were being applied to the phones by Call Manager were using the self-signed CAPF Sub-CA certificate (CAPF-abc12345).  So ISE couldn't authenticate that, since it had to mis-configured WebServer CAPF (CAPF-xyz12345) cert in the trusted store.  But the question that I'm being asked is, "Does ISE check whether a trusted cert has the cert-signing EKU?"

The authentication failure details don't tell you what cert was presented from the client, it just says the handshake failed.

Thanks again for the help on this.

Requirements for CA to Interoperate with Cisco ISE

says,

...

  • Key usage should allow signing and encryption in extension.

...

Thank you, everybody. I appreciate the help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: