ISE Certificate Authentication Profile

1. Overview

A Certificate Authentication Profile tells ISE how to extract the identity from a client certificate. This is essential for EAP-TLS authentication where the identity comes from the certificate, not a username/password.

Certificate Identity Extraction Flow

Client Certificate
  └─ Subject: CN=modestus-p50.inside.domusdigitalis.dev
                    │
                    ▼
ISE Certificate Profile (AD_Cert_Profile)
  └─ Extract: SUBJECT_COMMON_NAME
                    │
                    ▼
Identity Used: modestus-p50.inside.domusdigitalis.dev

2. Current Configuration

2.1. List Certificate Profiles

netapi ise get-cert-profiles

╭──────────────────────────────────────────────────────────────────────────────╮
│ Certificate Authentication Profiles                                          │
╰──────────────────────────────────────────────────────────────────────────────╯
    Name                  Attribute               Match Mode    Allowed As Username
    AD_Cert_Profile       SUBJECT_COMMON_NAME     NEVER         true
    Test_Linux_CertAuth   SUBJECT_COMMON_NAME     NEVER         true

2.2. View Profile Details

netapi ise get-cert-profile "AD_Cert_Profile"

╭─────────────────────────────────────────────────────────────────────────╮
│ Certificate Authentication Profile: AD_Cert_Profile                     │
╰─────────────────────────────────────────────────────────────────────────╯
  ID                    0b30cab0-f0b1-11f0-850b-1a390b756a2a
  Description           Certificate authentication for AD-joined workstations
  Certificate Attribute SUBJECT_COMMON_NAME
  Username From         CERTIFICATE
  Match Mode            NEVER

3. Create Certificate Profile

3.1. Via netapi (Recommended)

netapi ise create-cert-profile "AD_Cert_Profile" \
  --attribute "SUBJECT_COMMON_NAME" \
  --match-mode "NEVER" \
  --descr "Certificate authentication for AD-joined workstations"

Expected Output

╭─────────────────────────────────────────────────────────────────────────╮
│ Create Certificate Authentication Profile                               │
╰─────────────────────────────────────────────────────────────────────────╯
  Name                  AD_Cert_Profile
  Certificate Attribute SUBJECT_COMMON_NAME
  Match Mode            NEVER
  Status                Created

✓ Certificate profile created: AD_Cert_Profile

3.2. Via REST API

curl -sk -X POST "https://${ISE_PAN}/ers/config/certificateprofile" \
  -H "Authorization: Basic ${ISE_API_TOKEN}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d '{
    "CertificateProfile": {
      "name": "AD_Cert_Profile",
      "description": "Certificate authentication for AD-joined workstations",
      "certificateAttributeName": "SUBJECT_COMMON_NAME",
      "allowedAsUserName": true,
      "matchMode": "NEVER",
      "usernameFrom": "CERTIFICATE"
    }
  }'

Expected Response

{
  "id": "0b30cab0-f0b1-11f0-850b-1a390b756a2a",
  "name": "AD_Cert_Profile",
  "link": {
    "rel": "self",
    "href": "https://ise.inside.domusdigitalis.dev/ers/config/certificateprofile/0b30cab0-f0b1-11f0-850b-1a390b756a2a",
    "type": "application/json"
  }
}

3.3. Via ISE GUI

Navigate to: Administration → Identity Management → External Identity Sources → Certificate Authentication Profile
Click Add

Configure:

Field Value Notes

Field	Value	Notes
Name	`AD_Cert_Profile`	Unique identifier for this profile
Description	Certificate authentication for AD-joined workstations	Optional but recommended
Certificate Attribute	Subject - Common Name	Extracts CN from certificate subject
Allow as Username	Yes (checked)	Uses extracted value as the identity
Match Client Certificate Against Certificate In Identity Store	Never	Don’t require certificate to exist in ISE

Name

AD_Cert_Profile

Unique identifier for this profile

Description

Certificate authentication for AD-joined workstations

Optional but recommended

Certificate Attribute

Subject - Common Name

Extracts CN from certificate subject

Allow as Username

Yes (checked)

Uses extracted value as the identity

Match Client Certificate Against Certificate In Identity Store

Never

Don’t require certificate to exist in ISE

Click Submit

4. Certificate Attribute Options

ISE can extract identity from various certificate attributes:

Attribute Format Use Case

Attribute	Format	Use Case
`SUBJECT_COMMON_NAME`	`CN=hostname.domain.com`	Machine certificates (most common)
`SUBJECT_ALTERNATIVE_NAME`	`DNS:hostname.domain.com`	Certificates with SAN entries
`SUBJECT_ALTERNATIVE_NAME_EMAIL`	`email@domain.com`	User certificates with email
`SUBJECT_ALTERNATIVE_NAME_UPN`	`user@domain.com`	User certificates with UPN
`SUBJECT_SERIAL_NUMBER`	`12345678`	Certificates with serial numbers
`ISSUER_COMMON_NAME`	`CN=Issuing-CA`	Match by issuing CA

SUBJECT_COMMON_NAME

CN=hostname.domain.com

Machine certificates (most common)

SUBJECT_ALTERNATIVE_NAME

DNS:hostname.domain.com

Certificates with SAN entries

SUBJECT_ALTERNATIVE_NAME_EMAIL

email@domain.com

User certificates with email

SUBJECT_ALTERNATIVE_NAME_UPN

user@domain.com

User certificates with UPN

SUBJECT_SERIAL_NUMBER

12345678

Certificates with serial numbers

ISSUER_COMMON_NAME

CN=Issuing-CA

Match by issuing CA

For machine certificates issued by Active Directory Certificate Services, use SUBJECT_COMMON_NAME. AD CS uses the computer’s FQDN as the Subject CN by default.

5. Match Mode Options

The Match Mode determines whether ISE validates the certificate against an identity store:

Mode Behavior

Mode	Behavior
`NEVER`	Never check identity store. Accept any valid certificate signed by trusted CA. (Recommended for initial deployment)
`RESOLVE_IDENTITY_AMBIGUITY`	Only check identity store if multiple identities could match the certificate.
`BINARY_COMPARISON`	Certificate must exactly match a certificate stored in the identity store. (Most restrictive)

NEVER

Never check identity store. Accept any valid certificate signed by trusted CA. (Recommended for initial deployment)

RESOLVE_IDENTITY_AMBIGUITY

Only check identity store if multiple identities could match the certificate.

BINARY_COMPARISON

Certificate must exactly match a certificate stored in the identity store. (Most restrictive)

Start with NEVER for initial testing. Once EAP-TLS is working, consider tightening to BINARY_COMPARISON if you need to validate certificates against AD.

6. Verification

6.1. Verify Profile via netapi

# List all profiles
netapi ise get-cert-profiles

# Get specific profile details
netapi ise get-cert-profile "AD_Cert_Profile"

6.2. Verify Profile via REST API

curl -sk "https://${ISE_PAN}/ers/config/certificateprofile/name/AD_Cert_Profile" \
  -H "Authorization: Basic ${ISE_API_TOKEN}" \
  -H "Accept: application/json" | jq '.CertificateProfile'

Expected Response

{
  "id": "0b30cab0-f0b1-11f0-850b-1a390b756a2a",
  "name": "AD_Cert_Profile",
  "description": "Certificate authentication for AD-joined workstations",
  "certificateAttributeName": "SUBJECT_COMMON_NAME",
  "allowedAsUserName": true,
  "matchMode": "NEVER",
  "usernameFrom": "CERTIFICATE"
}

6.3. Verify in Authentication Session

After a successful authentication, verify the certificate profile was used:

# Check session details
netapi ise mnt session "C8:5B:76:C6:59:62"

Look for: * Identity Store = AD_Cert_Profile * User Name = FQDN extracted from certificate CN

7. Update Certificate Profile

7.1. Via netapi

# Update description
netapi ise update-cert-profile "AD_Cert_Profile" \
  --descr "Updated: Certificate authentication for Linux workstations"

# Change match mode
netapi ise update-cert-profile "AD_Cert_Profile" \
  --match-mode "BINARY_COMPARISON"

7.2. Via REST API

# Get current profile ID
PROFILE_ID=$(curl -sk "https://${ISE_PAN}/ers/config/certificateprofile/name/AD_Cert_Profile" \
  -H "Authorization: Basic ${ISE_API_TOKEN}" \
  -H "Accept: application/json" | jq -r '.CertificateProfile.id')

# Update profile
curl -sk -X PUT "https://${ISE_PAN}/ers/config/certificateprofile/${PROFILE_ID}" \
  -H "Authorization: Basic ${ISE_API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "CertificateProfile": {
      "id": "'${PROFILE_ID}'",
      "name": "AD_Cert_Profile",
      "description": "Updated: Certificate authentication for Linux workstations",
      "certificateAttributeName": "SUBJECT_COMMON_NAME",
      "allowedAsUserName": true,
      "matchMode": "NEVER",
      "usernameFrom": "CERTIFICATE"
    }
  }'

8. Troubleshooting

8.1. Certificate Profile Not Extracting Identity

Symptom: ISE shows authentication success but identity is empty or wrong.

Cause: Certificate attribute mismatch - the certificate doesn’t have the expected attribute.

Diagnosis:

# Check what's in the certificate
openssl x509 -in /path/to/cert.pem -noout -subject -nameopt RFC2253

Example Output

subject=CN=modestus-p50.inside.domusdigitalis.dev,OU=Workstations,O=Domus Digitalis

Fix: Ensure the certificate profile attribute matches what’s in the certificate.

8.2. Error: "Certificate Profile Not Found"

Symptom: Authentication rule fails with profile not found error.

Cause: Profile name misspelled or doesn’t exist.

Fix:

# List existing profiles
netapi ise get-cert-profiles

# Verify exact name
netapi ise get-cert-profile "AD_Cert_Profile"

8.3. Binary Comparison Failing

Symptom: Authentication fails when using BINARY_COMPARISON match mode.

Cause: Certificate not stored in Active Directory or doesn’t match exactly.

Fix: Either: 1. Change match mode to NEVER (less secure but easier) 2. Ensure the certificate is published to AD user/computer object’s userCertificate attribute

# Check if computer has certificate in AD (from domain-joined machine)
ldapsearch -x -H ldap://dc-01.inside.domusdigitalis.dev \
  -b "CN=modestus-p50,OU=Workstations,DC=inside,DC=domusdigitalis,DC=dev" \
  userCertificate

9. Next Steps

Authentication Policy - Create authentication rules using this profile
Authorization Policy - Configure access control
Certificate Enrollment - Issue certificates for workstations