ISE,AD with TLS

Choose Administration > Identity Management > External Identity Sources
In the above option, there is something called Binary Certificate Comparison.. Below is the explanation for the same in the User Guide
Perform Binary Certificate Comparison with Certificate Retrieved from LDAP or Active
Directory—Check this check box if you want to validate certificate information for authentication
against a selected LDAP or Active Directory identity source.
If you check this check box, you must choose the LDAP or Active Directory identity source from
the available list.
Can someone tell me how this will impact the TLS configuration..
Regards
NikhiL

NikhiL:
I don't have ISE but I knwo a little about binary comparison which should be the same concept with all products.
When EAP-TLS happens, the WLC (assuming using unified wireless infrastructure) will try to authenticate the user. Having EAP-TLS in place, the client will send a certificate as an identity.
For the server to verify if the trusted certificate provided belongs to a wifi user that is authorized to connect to the wireless it needs to verify that the user that provided the certificate is authorized for wifi access.
It has to compare the username in the certificate with the username in its DB to make sure that the user is authorized for wireless. (you can choose some attributes to compare the username like  SAN, CN, subject...etc).
If the username provided is found in AAA server and it is authorized for wifi it will allow it to connect.
If you are using external DB to auth users and not using the internal DB, i.e. usernames are not saved in AAA server and AAA servers is a proxy to auth from external DB (LDAP or AD for example) then you have an extra option.
Sometimes the external DB itself has the same certificate for the client saved. in this case when AAA server tries to auth the username via the external DB. If you enable binary comparison, besides the above username test with the certificate username check, the AAA server (ISE in your case) will compare the certificate from external DB to the certificate provided by the client bit by bit and make sure both certificates are identical.
I hope this makes it clear to. I think you can answer "how this affects EAP-TLS" now. It should not affect it if this is being used correctly and things should be fine.
Hope this is clear and useful.
Amjad

Similar Messages

  • Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?

    Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
    Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.
    I can get a PC on its own to authenticate via dot1x/tls
    I can get a Cisco IP Phone on its own to authenticate via MAB.
    When the two are on the same switchport, the phone will authenticate but not the PC.  ISE logs EAP timeouts.
    The switchport has the LowImpact port ACL of
    ip access-group ACL-DEFAULT in
    The IP Phone gets a dACL that allows it ok.
    I assume MAB phone and dot1x PC is supported?  Any ideas?
    Thanks in advance.

    The ISE log detailed steps are as follows:
    Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12300  Prepared EAP-Request proposing PEAP with challenge
    12625  Valid EAP-Key-Name attribute received
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12501  Extracted EAP-Response/NAK requesting to use EAP-TLS instead
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    12625  Valid EAP-Key-Name attribute received
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12809  Prepared TLS CertificateRequest message
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    5411  No response received during 120 seconds on last EAP message sent to the client

  • Send mail with TLS to MS exchange server

    Hi,
    last month I enabled an oracle wallet TDE for creating encription for TS.
    Today, development team needs to send mail to exchange server with TLS.
    So I found this procedure on oracle support Doc ID 1323140.1
    My question is, can I use the same wallet to send mails from db?
    The Oracle Database  11.2.0.3
    Or I need to implement a different type of wallet with certificate?
    Is there, in this case,  a procedure step by step?
    I have never implemented that and I'm very confused....
    Thanks in advanced

    Hi,
      For questions about the wallet set up you should try either -
    Database Security - General
    or
    General Database Discussions
    or perhaps the PL/SQL form as you are trying to follow one of their notes -
    PL/SQL
    Regards,
    Mike

  • Synthetic Transactions Fail with TLS error

    Hi,
    Most of the test-cs cmdlets fail with the error: The operation failed due to issues with Tls. See the exception for more information.
    Inner Exception:CertificateInfoNative::AcquireCredentialsHandle() failed; HRESULT=-2146893043.
    Lync itself is working fine. 
    Any thoughts?

    Hi,
    Are you trying this command via remote power shell which is not exactly the lync server, if this is the case then with which user are you logged in, does this user have required permissions. also have a look in to this.
    http://social.msdn.microsoft.com/Forums/en-US/ucmanagedsdk/thread/ca0d7758-d51b-4728-be0f-ae2c222546eb and
    http://blog.greenl.ee/2009/03/25/troubleshooting-tlsexception-in-ucma-2-0-applications/
    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

  • What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH)

    Hi,
    I just want to know,
    What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH).
    if support already,
    how can i setting.
    plz.  help me!!! 

    The following blog states that SQL Server "leverages the SChannel layer (the SSL/TLS layer provided
    by Windows) for facilitating encryption.  Furthermore, SQL Server will completely rely upon SChannel to determine the best encryption cipher suite to use." meaning that the version of SQL Server you are running has no bearing on which
    encryption method is used to encrypt connections between SQL Server and clients.
    http://blogs.msdn.com/b/sql_protocols/archive/2007/06/30/ssl-cipher-suites-used-with-sql-server.aspx
    So the question then becomes which versions of Windows Server support TLS 1.2.  The following article indicates that Windows Server 2008 R2 and beyond support TLS 1.2.
    http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
    So if you are running SQL Server on Windows Server 2008 R2 or later you should be able to enable TLS 1.2 and install a TLS 1.2 certificate.  By following the instructions in the following article you should then be able to enable TLS 1.2 encryption
    for connections between SQL Server and your clients:
    http://support.microsoft.com/kb/316898
    I hope that helps.

  • Why is PayPal still preferring a RC4 cipher with TLS 1.2? Is RC4 with TLS secure?

    My connection with Paypal is using RC4_128 as the preferred cipher with TLS 1.2. I was under the impression that RC4 was quite vulnerable and that AES-GCM is strongly preferred with TLS 1.2 as a more secure alternative? Am I incorrect? How much of a concern is this? thanks! 

    I'm no expert here so forgive me if I do not make sense. As I understand it and as you noted, TLS 1.2 with AES GCM is really the tour-de-force of a secure connection that best mitigates the chance of victimization (but enterprise clients are still progressively adopting it.) Maybe 12-18 months back I recall reading Microsoft urging enterprise clients to work in the direction of phasing out RC4, and immediately make RC4 at the bottom at the list of preferred ciphers due to fears of growing ease in exploitation (many of which were NOT necessarily instituted in practice but more 'theoretical targeting'. However, based on what you showed me, I am guessing this was said when CBC was assumed to be more secure than it is today (as was TLS 1.0/1.1). Some of Paypal's servers support GCM and those servers make AES GCM prioritized over RC4. However, from what I can tell not all PayPal servers support GCM. Based on what you are saying, does that mean Paypal is likely prioritizing RC4 over CBC on these servers given the recent demonstrations of how CBC is also vulnerable? If that is the case, hopefully they are moving in the direction of GCM. Whether Paypal likes it or not, they are a huge target (and therefore we are too ) While it's impossible to quantify, based on what you are saying it sounds like the risk here is still relatively low? Again, I'm not an expert on this but rather a guy who does research for a living and had a financial nightmare unfold because I never gave much thought to secure connections. One website, some obsolete cryptography, and the entering of the financial data you use to make purchases, **bleep** on earth broke. (I consider myself partly at fault due to my ignorance of assuming that a secure connection was a secure connection.) https://www.ssllabs.com/ssltest/analyze.html?d=paypal.com&s=23.203.228.56

  • ISE deployment with subdomains

    Hi Experts,
    we have AD Architecture that parent domain and three subdomain as per the region, and ISE Administration/Monitoring Node will be in one subdomain and each region will have its ISE node with policy persona.
    looking for guidnace on how the ISE design will be, more precisly whic domain the PSN node will join, to their regional sub-domain?
    if yes its supported to have each PSN in their different sub-domain?
    Thanks         

    You  can palace PSN in regional sub-domain but you need to make sure that  all the regional sub-domain are are able to communicate with each other  with out any DNS and NAT issues.

  • Cisco ISE integration with SMS passcode Device

    HI Experts,
    i have a scenario where the requirement is to integrate the ISE device with SMSpasscode device which will trigger the OTP to the mobile devices 
    Currently i have my authentication configured to work with the AD 
    When my VPN users connects  its authenticates against AD and the users get the access . 
    Now as per the new requirement once the user is authenticate against AD ,  the user should be prompted for the OTP password send to the users  using SMS passcode device 
    Anyone had worked on similar requirement please help me to resolve the issue .
    Thanks in advance 
    Angus

    Hi all
    I am working exactly for a month on this topic with no success.
    I need to integrate VASCO OTP solution. But VASCO do not support any external authentication backend for virtual/SMS token. Only passcode or local authentication.
    I need to implement an external authentication against LDAP somewhere...
    Gunnar, do CISCO clearly says it is not able to participate to such setup?
    So, my need would be to be able to insert in the flow an authentication in ISE against the LDAP.
    The flow is:
    WebApplication send login+password (LDAP) to ISE
    ISE checks the credentials and if it is OK forward the request to VASCO
    VASCO does not check for password but generate the OTP and send it via SMS
    VASCO replies with a access-challenge
    ISE forward the challenge to Web Application
    WebApplication send login+OTP response to ISE
    ISE forward to VASCO
    VASCO checks for OTP and replies to ISE with accept
    ISE forward to Web Application
    User is logged in...
    All the flow is working if the user enters a passcode
    I would like to implement a Identity source sequences where the user is checked again all the entries not the first match
    First LDAP then VASCO...

  • ISE integration with Oracle LDAP

    Does ISE integrate with Oracle OID LDAP (Version 11G)? If yes, which version?

    ISE supports any LDAPv3 compliant servers

  • ISE integration with Prime Infrastructure,

    Hi Team,
      I would like to know what are the advantages and Disadvantages of the ISE integration with Prime Infrastructre.Also  how the LAN, wifi, and identity management part (guest access etc) will work together.
    Cheers!!!
    Minakshi

    Prime Infrastructure manages the wired and the wireless clients in the network. When Cisco ISE is used as a RADIUS server to authenticate clients, Prime Infrastructure collects additional information about these clients from Cisco ISE and provides all client relevant information to Prime Infrastructure to be visible in a single console.
    When posture profiling is enforced in the network, Prime Infrastructure talks to Cisco ISE to get the posture data for the clients and displays it along with other client attributes. When Cisco ISE is used to profile the clients or an endpoint in the network, Prime Infrastructure collects the profiled data to determine what type of client it is, whether it is an iPhone, iPad, an Android device, or any other device.
    Cisco ISE is assisting Prime Infrastructure to monitor and troubleshoot client information, and displays all the relevant information for a client in a single console.

  • Dreamweaver CS 5.5 not working with Godaddy FTP with TLS/SSL

    I've upgraded to CS 5.5 and tried to connect to a client's Godaddy account with FTP with TLS/SSL it fails.  Works perfectly with my mac app Transmit every time as it always has.   It doesn't work with implicit or explicit settings with authentication set to none or otherwise.
    Can someone please let me know if Dreamweaver will ever be compatible with FTP with TLS/SSL and Godaddy?  Or is there some setting I can try that will make it work now somehow?
    Been waiting years for this....

    SnakEyez02 wrote:
    First, that's a Godaddy problem if their security isn't up to par.
    That may be the case that Godaddy is also at fault, but every other FTP app I use with Godaddy works fine.  It's just Dreamweaver and has always been just Dreamweaver not working with a secure connection to Godaddy.  Considering Godaddy is the largest webhost in the USA, you'd think Adobe would have fixed this years ago.  I should also mention I'm not endorsing Godaddy and I understand there's plenty of people that don't like Godaddy for very good reasons.
    Sent you PM with FTP account with Godaddy yesterday.  Thank you for taking a look!
    UPDATE: Whoops, I see you responded via private message already.  I'll paste most of it here in hopes it helps others to understand the issue:
    via SnakEyez02 PM:
    Ok this took a lot of digging.  I won't say it's not a DW issue 100% and I will report a bug for your problem, but DW is not the problem alone Godaddy needs to share the blame here for a bad certificate.  Here is what is happening:
    I'll start with DW:
    - The settings are correct that were in the post.  Port 21, FTP explicit, and the authentication should be set to None (encyprtion only).  This is where the transmission is encrypted using SSL, but the certificate is shared and not specific to the domain owner.  That is the difference between DW's "none" and "trusted".  It's a poor choice of words I'll give them that.  However, Godaddy seems to want all connections to be trusted thus the other error you get when you turn on the None option.  Now could DW do what Transmit does, warn you and write in an unsigned certificate into the Keychain app, probably, is it best practice for security reasons to "Trust" an unsigned certificate probably not.
    Now Transmit:
    - As explained above Transmit opens up a prompt to override and create a fake-trusted signed certificate.  Thus by forcing the OS to think a legitimate certificate is there it gets you through albeit through unconventional methods.
    The problem:
    - A good portion of this problem lies with Godaddy.  Now I use a shared hosting account and set one up on an independant host for a friend of mine and both of them accept the shared certificates (SSL explicit).  The difference is the hostname of the certificate.  I ran a traceroute (from Network Utility in Utilities folder) on your website and came up with the following address: 173.201.23x.x.
    The problem is that the certificate on your server is actually not for that server which is the reason DW seems to have such an issue with it.  The SSL certificate that Godaddy put on your shared server is for host - 173.201.19x.5x.  As you can see, it's a certificate for another server.  Honestly the fact that Panic's Transmit allows this override scares me a little bit and the fact that Godaddy never noticed this issue either scares me to.  So while DW could write in a bad certificate I can see why this is happening.
    I know there is not much solice in my answer because it still doesn't alleviate the problem that you have with DW connecting.  Unfortunately I do not have a workaround despite my numerous attempts to try and gain access over a secure connection.  One alternative you could ask Godaddy for in the meantime is an SSH connection which would allow you to use SFTP instead of FTPS.  But that's a short-term solution to a long-term problem.
    If you think of anything else feel free to bounce any ideas off me I don't mind.  Good luck in getting this solved and I will post a bug report to make Adobe aware of the issue.
    Thank you for looking into this issue in depth like you have!
    I think the issue might be that Godaddy is applying cost saving measures to keep their prices down in the way they implement their certificates (but it also wouldn't surprise me to know it's simply ineptitude on Godaddy's part either).  I'm not sure I fault Panic with Transmit much at all because it clearly warns you about the certificate and it's your choice to continue.  And, as it stands now, it's much safer to continue to connect that way with Transmit than to stop and connect with no encryption at all at a public hotspot.
    As it stands now, you really shouldn't connect to Godaddy with Dreamweaver at a public hotspot unless you set up an SSH tunnel with your connection first.  But enabling SSH is an added expense in many ways including paying for the service, using more computer resources for tunneling and time setting it up and implementation... all because Dreamweaver won't just allow developers the option like Transmit does.
    Once again, thank you for looking at this and I hope someone at Adobe finally address this issue for the security of its customers who use Godaddy (which is often not their choice and was, instead, the choice of their clients to use Godaddy as a webhost).
    Just a side note, I contacted Godaddy support about this several years ago and they were unresponsive and even hostile about it  - So that's definitely another vote against Godaddy from me as well.
    Message was edited by: greenbluewave

  • Cisco ISE Integrate with Airwatch

    Dears,
    I need a configuration guide or video how to integrate Cisco ISE with Airwatch. Please provide me this informations
    Thanks

    If you have a CCO ID, you may be able to see it here:
    ISE integration with AirWatch MDM
    If you cannot, you should be able to osk your Cisco AM for this.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Securing FTP with TLS

    Hi,
    I am developing a secure FTP client.
    Is there any free API available in the market which I can be reuseable in my application?
    If not please provide me some link so that I can develope such API using JSSE API.
    FYI-I am following the Internet Draft, �Securing FTP with TLS� by Ford-Hutchinson,a specification for realizing RFC2228, �FTP Security Extension� using TLS.
    Thanks.

    hi friend,
    i'm also looking for free secure ftp api's for Java...
    if u know any, do let me know....

  • Outlook 2010 IMAP connection problem and not work with TLS enabled

    Dear all,
    Need your help.  5 users of my customer Outlook 2010 suddenly popped error message "Your IMAP server closed the connection".  We checked that there is no problem in IMAP connection in Exchange 2007 server (SP3) (we tested with setup new
    account in another Outlook and able to connect, send and receive email).  
    We are able to workaround the problem of that 5 users by disabling TLS in account setting for SMTP to Exchange.  The users can then connect and able to send and receive. (however, in our testing above, there is no problem with TLS).
    Could you help to enlighten me what may be the cause of this situation?  
    Best Regards,
    Rayson Wong 

    Hi,
    Please click File > Account Settings > Account Settings > Select the IMAP account and click
    Change > More Settings button > Advanced tab, and then adjust the
    Server Timeouts slider bar to a longer time to check the result.
    Also make sure the SMTP server port number is set correctly.
    Please let me know the result.
    Regards,
    Steve Fan
    TechNet Community Support

  • Send mail to exchange server with TLS

    Hi,
    last month I enabled an oracle wallet TDE for creating encription for TS.
    Today, development team needs to send mail to exchange server with TLS.
    So I found this procedure on oracle support Doc ID 1323140.1
    My question is, can I use the same wallet to send mails from db?
    The Oracle Database  11.2.0.3
    Or I need to implement a different type of wallet with certificate?
    Is there, in this case,  a procedure step by step?
    I have never implemented that and I'm very confused....
    Thanks in advanced

    Hi, I have implemented a new wallet with certificates (for test SMTP.gmail.com) and i'm tryied to use this procedure:
    DECLARE
    mailhost VARCHAR2(64) := 'smtp.mydomain.it';
    sender VARCHAR2(64) := '[email protected]';
    recipient VARCHAR2(64) := '[email protected]';
    wallet_pwd VARCHAR2(64) := 'welcome1';
    wallet_loc VARCHAR2(64) := 'file:/etc/ORACLE/FRMSSYST/SMTP/';
    user_name VARCHAR2(64) := 'HDC021319';  -- alias for '[email protected]'
    user_pwd VARCHAR2(64) := 'password';  -- password of [email protected]
    mail_connection utl_smtp.connection;
    BEGIN
    -- Make a secure connection using the SSL port configured with your SMTP server
    -- Note: The sample code here uses the default of 465 but check your SMTP server settings
    mail_connection := utl_smtp.open_connection(
    host => mailhost,
    port => 25,
    wallet_path => wallet_loc,
    wallet_password => wallet_pwd,
    secure_connection_before_smtp => FALSE);
    -- Call the Auth procedure to authorized a user for access to the mail server
    -- Schemes should be set appropriatelty for your mail server
    -- See the UTL_SMTP documentation for a list of constants and meanings
    UTL_SMTP.helo(mail_connection, mailhost);
    UTL_SMTP.STARTTLS(mail_connection);
    UTL_SMTP.AUTH(
    c => mail_connection,
    username => user_name,
    password => user_pwd,
    schemes => 'LOGIN');
    -- Set up and make the the basic smtp calls to send a test email
    utl_smtp.helo(mail_connection, mailhost);
    utl_smtp.mail(mail_connection, sender);
    utl_smtp.rcpt(mail_connection, recipient);
    utl_smtp.open_data(mail_connection);
    utl_smtp.write_data(mail_connection, 'This is a test message using SSL with SMTP.' || chr(13));
    utl_smtp.write_data(mail_connection, 'This test requires an Oracle Wallet be properly configured.' || chr(13));
    utl_smtp.close_data(mail_connection);
    utl_smtp.quit(mail_connection);
    END;
    This procedure, works fine if I try to send an email to smtp.gmail.com (I tried first with gmail with appropriate certificates), but now, when I try to send an email to the local enterprise Exchange server  I get this error:
    ERROR at line 1:
    ORA-29279: SMTP permanent error: 503 5.5.2 Send hello first
    ORA-06512: at "SYS.UTL_SMTP", line 54
    ORA-06512: at "SYS.UTL_SMTP", line 140
    ORA-06512: at "SYS.UTL_SMTP", line 439
    ORA-06512: at line 35
    Thanks in adavanced

Maybe you are looking for

  • Download file fails with 404 error  in SLD export of business system

    Hi all, We just upgraded to 2004s, and when I try to export BS to a file, I get a 404 resource does not exist error. I wanted to find out which service needs to be activated in either the J2EE stack or the abap stack to allow the download. thanks, ch

  • Latest Acrobat reader plugin for 32-bit Safari?

    I'm visiting web pages that have PDF that require the latest Adobe Reader.  I'm using 5.1 Safari on an older Intel iMac that is only 32-bit.  The latest download of reader claims it's only for 64-bit macs. Is there a version of the plugin that can in

  • My iTunes library wont finish library update. How can I fix this?

    The update begins, gets about an inch of green on the status/update bar (itunes helper) and then itunes freezes. The freeze slows down my whole system dramatically. It is a system wide error. I have reinstalled itunes x 3.

  • A very dumb question about sharing preview in an iPad

    Hi, folks I have to share some content I have made in some iPad devices. I am taking about a dozen of people, some of whom I don't even know. To test all this, I have reloaded in Folio Builder the content with our shared user account (ie: not mine) a

  • Valuation type after refurbished order

    Hi All, I have done a refurbishment order from valuation type C1 to valuation type C2. After settle the order the average moving price was updated, so till now is everything ok. If I'll display the equipment, in serial number data tab, "Stock Batch"