CCNP Security FAQ: Certificate-Based User Authentications

CCNP Security FAQ: Certificate-Based User Authentications



Figure: Certificate authentication profile.

Q1. Which of the following is required for ISE to trust a client certificate?
a. The client’s private key must be imported into ISE’s Certificate Store.
b. The signing CA’s public key must be imported to ISE’s Certificate Store.
c. The signing CA’s private key must be imported into ISE’s Certificate Store.
d. The signing CA must be part of the Internet’s master PKI hierarchy.

Answer: B. A copy of the signing CA’s public key must be stored at Administration > System > Certificates > Certificate Store, and it needs to have the Trust for Client Authentication option selected.

Q2. What determines a digital certificate’s validity period?
a. Any time leading up to the date listed in the Certificate Expiration field of the X.509 certificate.
b. A certificate is always valid until it is added to the Certificate Revocation List (CRL).
c. Any time leading up to the date listed in the Revocation Date field of the X.509 certificate.
d. The time span between the dates listed in the Valid-From and Valid-To fields of the X.509 certificate.

Answer: D. It’s vital to understand that the Valid-From field is just as important as the Valid-To field. A certificate will be rejected if it is issued for a date and time after the current date and time. This is why NTP is so critical for PKI.

Q3. True or False? Certificate Revocation List (CRL) is the only revocation status mechanism supported by ISE.
a. True
b. False

Answer: B. ISE supports checking both CRL and Online Certificate Status Protocol (OCSP). OCSP is the preferred method for scalability and security reasons.

Q4. True or False? ISE will ignore the CRL distribution point listed in the X.509 client certificate.
a. True
b. False

Answer: A. ISE will only leverage the CRL distribution point configured within the trusted certificate store for that signing CA and ignore the field that is in the client’s certificate.

Q5. How does ISE validate proof of possession for a client’s certificate?
a. ISE encrypts data with a combination of ISE’s private key and the client’s public key.
b. ISE encrypts data with a combination of ISE’s public key and the client’s private key.
c. ISE sends a message to the end user, requesting a screen shot of the private key.
d. ISE encrypts data with a combination of ISE’s private key and the client’s private key.

Answer: A. ISE sends some “throw-away data” to the client that is encrypted with the combination of ISE’s private key and the client’s public key (the certificate sent for authentication). Then the endpoint must decrypt the data with the combination of its private key and the server’s public key, proving the client has the full key pair and not just a copy of a public key.

Q6. Which of the following accurately describes how an Active Directory user is authorized when using certificate-based authentication?
a. When Active Directory is the certificate authority (CA), ISE sends the full certificate to the CA and it cross-references it to the end user to which the certificate was issued, returning the AD Group Membership and other attributes to ISE.
b. It is not possible to perform Active Directory user authorization when performing certificate-based authentication.
c. Cisco ISE uses CAP to identify the principle identity from the X.509 attributes and then performs the lookup in Active Directory using that identity. Active Directory returns the AD Group Membership and other attributes to ISE.
d. This process requires a dual authentication. The first authentication is for the digital certificate, and then the user is prompted for his username and password for the Active Directory component.

Answer: C. A certificate issued by Active Directory Certificate Services is still just an X.509 certificate. It will go through all the authentication validation of any other certificate, regardless of the fact that the CA was integrated into AD. The CAP extracts the user’s identity from the fields in the certificate for the authorization with AD.

Q7. Which is the most common authentication protocol for network access when using certificates?
a. EAP-TTLS
b. EAP-TLS
c. EAP-FAST
d. EAP-GTC

Answer: B. Although both EAP-TLS and EAP-GTC are native EAP-Types capable of performing certificate-based authentication, EAP-TLS is more common. EAP-TTLS and EAP-FAST are tunneled EAP types, both of which are capable of having EAP-TLS as an inner-method.

Q8. Which of the following lists accurately describes the components required for ISE to process certificate-based authentications?
a. ISE is capable of processing certificate-based authentications by default, and no additional configuration is required.
b. EAP-TLS enabled in the Allowed Protocols, a CAP, Signing CA’s Public Certificate added to the Certificate Store with the Trust for Client Authentication attribute enabled, and either CRL or OCSP configured.
c. EAP-TLS enabled in the Allowed Protocols, a CAP, Signing CA’s Public Certificate added to the Certificate Store with the Trust for Client Authentication attribute enabled, and an authorization rule for the extracted identity.
d. EAP-TLS enabled in the Allowed Protocols, a CAP, Signing CA’s Public Certificate added to the Certificate Store with the Trust for Client Authentication attribute enabled.

Answer: D. Allowed Protocols, CAP for an Identity Store, and trusting the signing CA for client authentication are all that is required. Certificate Revocation checking and the authorization rule are both optional.

Q9. What does the Download CA certificate chain link on the Microsoft CA provide an ISE administrator?
a. A form for the admin to fill out and request the CA administrator send its public key, including any intermediary CAs.
b. Configures the Windows client to provide the signer’s public key during the authentication process, along with its own (hence, its certificate chain).
c. Downloads a PKCS file, which is a certificate chain file that will contain the public certificates for the CA and any intermediate CA in the hierarchy.
d. Redirects the admin to a new page where she can purchase the public key from the certificateauthority.

Answer: C. Many certificate authorities have a website where they permit the downloading of their public certificate and even the full certificate chain. In this chapter you see an example of downloading the key from a Microsoft CA. Navigating to this web page and downloading the certificate is how an ISE admin can obtain the public certificate of the signing CA to trust for client authentications. However, it is not recommended to use PKCS chain files unless there is no other option. As a best practice, always use Base-64 encoded files instead of DER-encoded files.

Q10. Live Log provides a glance at a lot of information, including a brief failure reason. What should an admin do to find a more detailed explanation of the failed certificate authentication and a possible resolution?
a. From Live Log, navigate to Operations > Reports > Failed Authentications.
b. From Live Log, click the Details icon, which will launch the authentication details report.
c. Immediately email Aaron Woland of Cisco and ask him why this isn’t working.
d. Call Cisco TAC because if the detail is not in Live Log, it doesn’t exist.

Answer: B. Although I’m flattered that you might want to call me to fix your problems, C is definitely not the correct answer. The first question you would be asked is: “What does it say for Failure Reason in the Authentication Details Report?” which is the correct answer: B. There is no report named Failed Authentications, and besides it would not exist in the root of “reports.”

About the author

James Palmer

Leave a Comment