ISE Authentication Policy

1. Overview

ISE authentication policies determine how users and devices authenticate. For Linux EAP-TLS deployments, we configure:

Certificate Authentication Profile - Extracts identity from the client certificate
Authentication Rules - Match EAP-TLS requests and route to the certificate profile

This configuration uses the ISE REST API via netapi for automation and repeatability. GUI steps are provided as reference.

2. Policy Sets

Current policy set configuration:

netapi ise get-policy-sets

                     Policy Sets (Page 1, Size 100)
┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━┓
┃ Name                ┃ ID                                   ┃ State   ┃
┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━┩
│ Domus-Wired 802.1X  │ 2c2e6b05-a29c-46a4-a0ee-7fcea4853e47 │ enabled │
│ Domus-Wired MAB     │ 6d941893-bfeb-4acf-8005-c54c3a098cd0 │ enabled │
│ Domus-Secure 802.1X │ 9557d91c-591b-4d8d-9898-657a62f28d76 │ enabled │
│ Domus-IoT iPSK      │ 64e93c0e-2ce5-490b-a9da-f10daf2784bb │ enabled │
│ Domus-Guest         │ bba815f7-726a-4a70-9b54-f2e532a57de4 │ enabled │
│ Default             │ 3a7f1206-d371-42fe-a845-cd3460535b6e │ enabled │
└─────────────────────┴──────────────────────────────────────┴─────────┘

Table 1. Policy Set Mapping
Policy Set	Condition	Use Case
Domus-Wired 802.1X	NAS-Port-Type = Ethernet	Wired 802.1X endpoints (Linux workstations)
Domus-Secure 802.1X	SSID = Domus-Secure	Wireless EAP-TLS (corporate WiFi)
Domus-Wired MAB	Wired + MAB	MAC Authentication Bypass (printers, IoT)
Domus-IoT iPSK	SSID = Domus-IoT	Identity PSK for IoT devices

3. Authentication Rules

Current authentication rules for Domus-Wired 802.1X:

netapi ise get-auth-rules "Domus-Wired 802.1X"

╭─────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Authentication Rules                                                                            │
╰────────────────────────────────── Domus-Wired 802.1X ───────────────────────────────────────────╯
    #    Rule Name                   Identity Source        If Fail    If Not Found    State
    0    EAP_TLS_Certificate_Auth    AD_Cert_Profile        REJECT     REJECT          enabled
    1    Test_Linux_EAP_TLS_Auth     Test_Linux_CertAuth    REJECT     REJECT          enabled
    2    Default                     All_User_ID_Stores     REJECT     REJECT          enabled

Rank Rule Name Identity Source Purpose

Rank	Rule Name	Identity Source	Purpose
0	`EAP_TLS_Certificate_Auth`	`AD_Cert_Profile`	Primary EAP-TLS authentication
1	`Test_Linux_EAP_TLS_Auth`	`Test_Linux_CertAuth`	Testing/fallback profile
2	`Default`	`All_User_ID_Stores`	Catch-all (password-based)

EAP_TLS_Certificate_Auth

AD_Cert_Profile

Primary EAP-TLS authentication

Test_Linux_EAP_TLS_Auth

Test_Linux_CertAuth

Testing/fallback profile

Default

All_User_ID_Stores

Catch-all (password-based)

4. Certificate Authentication Profile

The certificate authentication profile extracts the identity from the client certificate’s Subject CN.

4.1. View Current Profile

netapi ise get-cert-profile "AD_Cert_Profile"

╭─────────────────────────────────────────────────────────────────────────╮
│ Certificate Authentication Profile: AD_Cert_Profile                     │
╰─────────────────────────────────────────────────────────────────────────╯
  ID                    0b30cab0-f0b1-11f0-850b-1a390b756a2a
  Description           Certificate authentication for AD-joined workstations
  Certificate Attribute SUBJECT_COMMON_NAME
  Username From         CERTIFICATE
  Match Mode            NEVER

4.2. Create via netapi (API)

netapi ise create-cert-profile "AD_Cert_Profile" \
  --attribute "SUBJECT_COMMON_NAME" \
  --match-mode "NEVER" \
  --descr "Certificate authentication for AD-joined workstations"

4.3. Create via REST API

curl -sk -X POST "https://${ISE_PAN}/ers/config/certificateprofile" \
  -H "Authorization: Basic ${ISE_API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "CertificateProfile": {
      "name": "AD_Cert_Profile",
      "description": "Certificate authentication for AD-joined workstations",
      "certificateAttributeName": "SUBJECT_COMMON_NAME",
      "allowedAsUserName": true,
      "matchMode": "NEVER",
      "usernameFrom": "CERTIFICATE"
    }
  }'

4.4. Create via ISE GUI

Navigate to: Administration → Identity Management → External Identity Sources → Certificate Authentication Profile
Click Add

Configure:

Field Value

Field	Value
Name	`AD_Cert_Profile`
Description	Certificate authentication for AD-joined workstations
Certificate Attribute	Subject - Common Name
Match Client Certificate Against Certificate In Identity Store	Never

Name

AD_Cert_Profile

Description

Certificate authentication for AD-joined workstations

Certificate Attribute

Subject - Common Name

Match Client Certificate Against Certificate In Identity Store

Never

Click Save

5. Create Authentication Rule

5.1. Via netapi (Recommended)

# Create the authentication rule
netapi ise add-auth-rule "Domus-Wired 802.1X" \
  --name "EAP_TLS_Certificate_Auth" \
  --condition "EapAuthentication == EAP-TLS" \
  --identity-source "AD_Cert_Profile" \
  --if-fail "REJECT" \
  --if-not-found "REJECT" \
  --rank 0

# Verify the rule was created
netapi ise get-auth-rules "Domus-Wired 802.1X"

5.2. Via REST API

# Get policy set ID first
POLICY_SET_ID=$(netapi ise get-policy-sets -f json | \
  jq -r '.[] | select(.name=="Domus-Wired 802.1X") | .id')

# Create authentication rule
curl -sk -X POST \
  "https://${ISE_PAN}/api/v1/policy/network-access/policy-set/${POLICY_SET_ID}/authentication" \
  -H "Authorization: Basic ${ISE_API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "rule": {
      "name": "EAP_TLS_Certificate_Auth",
      "rank": 0,
      "state": "enabled",
      "condition": {
        "conditionType": "ConditionAttributes",
        "dictionaryName": "Network Access",
        "attributeName": "EapAuthentication",
        "operator": "equals",
        "attributeValue": "EAP-TLS"
      }
    },
    "identitySourceName": "AD_Cert_Profile",
    "ifAuthFail": "REJECT",
    "ifUserNotFound": "REJECT",
    "ifProcessFail": "DROP"
  }'

5.3. Via ISE GUI

Navigate to: Policy → Policy Sets
Click on Domus-Wired 802.1X
Expand Authentication Policy
Click + to add new rule

Configure:

Field Value

Field	Value
Rule Name	`EAP_TLS_Certificate_Auth`
Conditions	Network Access:EapAuthentication EQUALS EAP-TLS
Use	`AD_Cert_Profile`
If authentication failed	REJECT
If user not found	REJECT

Rule Name

EAP_TLS_Certificate_Auth

Conditions

Network Access:EapAuthentication EQUALS EAP-TLS

Use

AD_Cert_Profile

If authentication failed

REJECT

If user not found

REJECT

Drag rule to rank 0 (top)
Click Save

6. Verification

6.1. Check Authentication via netapi

# View recent authentications
netapi ise mnt authentications --records 10

# Check specific session by MAC address
netapi ise mnt session "C8:5B:76:C6:59:62"

# Filter for specific user/endpoint
netapi ise mnt authentications --records 10 | grep -i "modestus-p50"

6.2. Check via ISE GUI

Navigate to: Operations → RADIUS → Live Logs
Filter by endpoint identity
Verify:
- Authentication Policy shows EAP_TLS_Certificate_Auth
- Authentication Status shows Authentication succeeded
- Identity Store shows AD_Cert_Profile

6.3. Check via REST API

curl -sk "https://${ISE_PAN}/api/v1/policy/network-access/policy-set/${POLICY_SET_ID}/authentication" \
  -H "Authorization: Basic ${ISE_API_TOKEN}" \
  -H "Accept: application/json" | \
  jq '.response[] | {name: .rule.name, rank: .rule.rank, identitySource: .identitySourceName}'

7. Troubleshooting

7.1. Error 22045: Identity Policy Mismatch

Failure Reason: 22045 Identity policy result is configured for password
based authentication methods but received certificate based authentication request

Cause: Authentication rule uses password-based identity source (AD or Internal Users) but client sent certificate.

Fix: Ensure the authentication rule uses a Certificate Authentication Profile, not Active Directory directly.

# Check which identity source the rule is using
netapi ise get-auth-rules "Domus-Wired 802.1X"

# Update to use certificate profile
netapi ise update-auth-rule "Domus-Wired 802.1X" "EAP_TLS_Certificate_Auth" \
  --identity-source "AD_Cert_Profile"

7.2. EAP-TLS Not Matching

If authentication uses wrong rule:

Check rule condition - Must be EapAuthentication EQUALS EAP-TLS
Check rule rank - EAP-TLS rule must be at rank 0 (top)
Check policy set - Ensure request matches the correct policy set condition

# Verify rule conditions
netapi ise get-auth-rule "Domus-Wired 802.1X" "EAP_TLS_Certificate_Auth" --details

7.3. Certificate Identity Not Extracted

If ISE logs show empty or wrong identity:

Verify Certificate Authentication Profile uses correct attribute (SUBJECT_COMMON_NAME)
Verify client certificate has proper CN matching the expected identity
Check ISE trusted certificates include the ROOT CA

# Check certificate profile configuration
netapi ise get-cert-profile "AD_Cert_Profile"

# Verify certificate chain in ISE
netapi ise get-trusted-certs | grep -i "root\|issuing"

8. Next Steps

Certificate Profile Configuration - Detailed certificate profile setup
Authorization Policy - Configure what access authenticated users receive
Troubleshooting Guide - Common issues and resolutions