INC-2026-02-03: ISE Certificate Binding Bug
Incident Summary
Incident ID |
INC-2026-02-03-001 |
Severity |
Medium |
Detection |
2026-02-03 |
Resolution |
2026-02-03 |
Duration |
~2 hours |
Status |
Resolved |
Problem
Certificate binding issue in ISE 3.3 affecting EAP-TLS authentication. Endpoints failing authentication despite valid certificates.
Root Cause
ISE certificate authentication profile misconfiguration. Certificate attribute mapping was incorrect after ISE upgrade.
Resolution
Updated certificate authentication profile to use correct attribute mapping:
Certificate Attribute: Subject - Common Name (CN)
Identity Store: Active Directory
AD Attribute: sAMAccountNameCLI Mastery: Certificate Profile Verification
# Check certificate authentication profile via ERS
netapi ise ers get /config/certificateauthprofile | \
jq '.SearchResult.resources[] | {name, id}'
# Get specific profile details
netapi ise ers get "/config/certificateauthprofile/{profile-id}" | \
jq '.CertificateAuthProfile'Key Lessons
| Lesson | Action |
|---|---|
Post-upgrade verification |
Always verify certificate binding rules after ISE upgrades |
Certificate attribute mapping |
Document expected CN → AD attribute mappings |
Authentication testing |
Test EAP-TLS after any policy changes |