CCIE Security (legacy) — Question 5

For your enterprise ISE deployment, you are looking to use certificate-based authentication for all your Windows machines. You have already gone through the exercise of pushing the machine and user certificates out to all the machines using GPO. Since certificate based authentication, by default, doesn't check the certificate against Active Directory, or requires credentials from the user. This essentially means that no groups are returned as part of the authentication request.
What are the possible ways to authorize the user based on Active Directory group membership?

Answer options

• A. The certificates should be configured with the appropriate attributes which contain appropriate group information, which can be used in Authorization policies.
• B. Enable Change of Authorization on the deployment to perform double authentication.
• C. Configure the Windows supplicant to used saved credentials as well as certificate-based authentication.
• D. Use ISE as the Certificate Authority, which will then allow for automatic group retrieval from Active Directory to perform the required authorization.
• E. Use EAP authorization to retrieve group information from Active Directory
• F. Configure Network Access Device (NAD) to bypass certificate-based authentication and push configured user credentials as a proxy to ISE.

Correct answer: F

Explanation

The correct answer is F because it allows the Network Access Device to bypass the certificate-based authentication and directly send user credentials to ISE, enabling group membership retrieval from Active Directory. The other options either do not address the requirement to authorize based on Active Directory group membership or suggest methods that are not applicable in this context.