Creating Certificate Authentication Profiles in ISE

In this post, we will create Certificate Authentication Profiles. A Certificate Authentication Profile in Identity Services Engine (ISE) is a configuration that defines how certificates are used to authenticate users or devices during the network access process. This profile specifies the certificate fields that ISE will examine to extract identity information, such as the Common Name (CN) or Subject Alternative Name (SAN), from the certificate the user or device presents.

The Certificate Authentication Profile determines which part of the certificate will be mapped to the identity used for policy enforcement, such as matching against an Active Directory user account or determining the appropriate access privileges. It also allows ISE to enforce policies based on attributes found in the certificate, enabling more granular and secure access control. This profile is essential for implementing certificate-based authentication methods, such as EAP-TLS, ensuring that only devices with valid certificates can access the network.

Since we will use an EAP certificate-based authentication method in later posts, ISE will compare the certificate received from a client with the one in the server to verify a user’s or computer’s authenticity. This method is much more secure than EAP methods based on username/passwords.

In ISE, navigate to Administration>Identity Management>External Identity Management>Certificate Authentication Profile.

Click Add.

You can name the profile a name that makes sense to you. In the screenshot below, I named mine CA_AD_Cert.

Choose your AD server from the Identity Store drop-down to tie this certificate template to your Active Directory CA.

Make sure the Certificate Attribute radio button is chosen, and from the drop-down box, choose the Subject Alternative Name option. This specifies the value of the certificate attribute that ISE must retrieve from LDAP and compare against.

On the Match Client Certificate Against Certificate in Identity Store option, I usually keep it as the default Only to resolve identity ambiguity.

Before moving on, I want to quickly highlight the default Certificate Authentication Profile. It should be called Preloaded_Certificate_Profile. If you click on the settings, you’ll see that it is different than our previous profile since it uses the identity from Subject – Common Name and it never matches the client certificate against a certificate in the identity store. This Certificate Authentication Profile is for BYOD.

After creating the certificate profiles, we can create an Identity Source Sequence (ISS) that we can later use for our policies.

Navigate to Administration>Identity Management>Identity Source Sequences.

Click Add.

We will give this Identity Source Sequence a name. In the screenshot below, I named mine Cert_AD_ISS.

Check the box next to Select Certificate Authentication Profile and select the CA_AD_Cert Certificate.

In the Authentication Search List, choose either your domain specifically or All_AD_Join_Points.

You will need to configure a SCEP profile if you want your Active Directory Certificate Services PKI to issue certificates for BYOD.

Navigate to Administration>System>Certificates>Certificate Authority>External CA Settings.

Click Add.

You can give the SCEP RA profile any name that we want.

If you are using Active Directory Certificate Services for SCEP, the default URL should be http://CA-ip-address/certsrv/mscep/mscep.dll

Test the connection with the Test Connection button.

Click Submit.

After creating this profile, we will create the certificate template for this SCEP profile.

Navigate to Administration>System>Certificates>Certificate Authority>Certificate Templates

Click Add.

The template’s name must be the same as the name of your BYOD certificate template in your Active Directory Certificate Authority.

I named it EAP-BYOD in a previous post.

In the drop-down for the SCEP RA profile, use the SCEP profile you just created (SecurityDemoSCEP).

Click Save.