CCNP Security FAQ: Certificate-Based User Authentications
Figure: Certificate authentication profile.
Q1. Which of the following is required for ISE to trust a client certificate?
a. The client’s private key must be imported into ISE’s Certificate Store.
b. The signing CA’s public key must be imported to ISE’s Certificate Store.
c. The signing CA’s private key must be imported into ISE’s Certificate Store.
d. The signing CA must be part of the Internet’s master PKI hierarchy.
Q2. What determines a digital certificate’s validity period?
a. Any time leading up to the date listed in the Certificate Expiration field of the X.509 certificate.
b. A certificate is always valid until it is added to the Certificate Revocation List (CRL).
c. Any time leading up to the date listed in the Revocation Date field of the X.509 certificate.
d. The time span between the dates listed in the Valid-From and Valid-To fields of the X.509 certificate.
Q3. True or False? Certificate Revocation List (CRL) is the only revocation status mechanism supported by ISE.
Q4. True or False? ISE will ignore the CRL distribution point listed in the X.509 client certificate.
Q5. How does ISE validate proof of possession for a client’s certificate?
a. ISE encrypts data with a combination of ISE’s private key and the client’s public key.
b. ISE encrypts data with a combination of ISE’s public key and the client’s private key.
c. ISE sends a message to the end user, requesting a screen shot of the private key.
d. ISE encrypts data with a combination of ISE’s private key and the client’s private key.
Q6. Which of the following accurately describes how an Active Directory user is authorized when using certificate-based authentication?
a. When Active Directory is the certificate authority (CA), ISE sends the full certificate to the CA and it cross-references it to the end user to which the certificate was issued, returning the AD Group Membership and other attributes to ISE.
b. It is not possible to perform Active Directory user authorization when performing certificate-based authentication.
c. Cisco ISE uses CAP to identify the principle identity from the X.509 attributes and then performs the lookup in Active Directory using that identity. Active Directory returns the AD Group Membership and other attributes to ISE.
d. This process requires a dual authentication. The first authentication is for the digital certificate, and then the user is prompted for his username and password for the Active Directory component.
Q7. Which is the most common authentication protocol for network access when using certificates?
Q8. Which of the following lists accurately describes the components required for ISE to process certificate-based authentications?
a. ISE is capable of processing certificate-based authentications by default, and no additional configuration is required.
b. EAP-TLS enabled in the Allowed Protocols, a CAP, Signing CA’s Public Certificate added to the Certificate Store with the Trust for Client Authentication attribute enabled, and either CRL or OCSP configured.
c. EAP-TLS enabled in the Allowed Protocols, a CAP, Signing CA’s Public Certificate added to the Certificate Store with the Trust for Client Authentication attribute enabled, and an authorization rule for the extracted identity.
d. EAP-TLS enabled in the Allowed Protocols, a CAP, Signing CA’s Public Certificate added to the Certificate Store with the Trust for Client Authentication attribute enabled.
Q9. What does the Download CA certificate chain link on the Microsoft CA provide an ISE administrator?
a. A form for the admin to fill out and request the CA administrator send its public key, including any intermediary CAs.
b. Configures the Windows client to provide the signer’s public key during the authentication process, along with its own (hence, its certificate chain).
c. Downloads a PKCS file, which is a certificate chain file that will contain the public certificates for the CA and any intermediate CA in the hierarchy.
d. Redirects the admin to a new page where she can purchase the public key from the certificateauthority.
Q10. Live Log provides a glance at a lot of information, including a brief failure reason. What should an admin do to find a more detailed explanation of the failed certificate authentication and a possible resolution?
a. From Live Log, navigate to Operations > Reports > Failed Authentications.
b. From Live Log, click the Details icon, which will launch the authentication details report.
c. Immediately email Aaron Woland of Cisco and ask him why this isn’t working.
d. Call Cisco TAC because if the detail is not in Live Log, it doesn’t exist.