My organization wants to authenticate medical devices with certificate.
What I'm trying to do is on the certificate the name of the user will be his mac address,
And the ise policy will be if the user name equal to mac address than he authenticate.
Until now I didn’t succeed.
Is it possible?
It sounds like you are trying to do two different things.
The certificate can be done through 802.1x using peap I dont know if your devices can handle dot1x so if not they can use MAB. Far less secure but if its a low level device like a printer that has limited input capability then you are stuck with MAB.
What you could do with MAB is use the OUI and some other identifying information (if available) like device host names (This can be derived from DHCP i believe) and possibly av pairs (RADIUS) to help profile the devices. These can be put into a custom endpoint profile that is given a specific authorization rule.
The whole point is to try to isolate certain types of equipment so that only they get the custom authz rule
Does this make sense? Im shooting a little blind here without more info.
If I am understanding this correctly you are trying to perform EAP-TLS authentication and you want the x509 principle username to be the MAC address of the authenticating device? Is that correct?
Thanks for your reply,
This exactly what I'm trying to figure.
On the email field in the certificate I putted the mac-address of the device.
And on my ISE I checked this field as the user name x509.
I attached an image from my ISE.
You can see that the user name and the mac address are the same.
The problem is that I can't authenticate them as I want:
User name=mac address.
It looks like your Authorization Profile isn't formed to properly catch the "username" part. Can you share your Policy section with the AuthZ profile?
This What I tried so far ,
The Authentication is work fine but the Authorization failed.
If any and radius:user name equals radius:calling stations-ID then permitAccess,
or this one:
If any and radius:calling stations-ID equals certificate:Subject-email(this filed is configure to mac-address) then permitAccess,
I'm in an ISE class this week and it was suggested to me that you should configure and use a Certificate Authentication Profile (found under Administration, Identity Management, External Identity Sources). Then use that profile in your policy.
You may need to use a field other than email address as the ISE PSN may do some validation checking to look for a well-formed email address (i.e with an "@" sign in the attribute).
I already did it.
This Why I can see the username as my Mac address from the specified field of the email.
If you see the first picture that I upload, you can see that the ISE recognize the user id as the Mac-address.
this is not the problem.
what i'm trying to do is to "lock" device to Certificate because i don't want That someone will install that certificate on another device.
If anyone have any idea how to do this it I'l be grateful.
You first asked about how to avoid failing authorization. Now you mention wanting to lock the use of that certificate to a specific device. Those are two separate issues.
For the first, please share the results of your authorization from the Operations page.
For the second, you should be able to make a compound condition using both the certificate and information from a profiling source that will include the actual MAC address. Several sources can give you this - DHCP profiling, RADIUS accounting, IOS sensor etc. Which to use depends on your environment's capabilities and design.
The authentication process is definitely failing (based on the screenshot that you posted). Before I can provide more help I will need screen shots showing all details around the Policy Set that you are using.
I agree with Marvin, we need some more info. If possible please paste some screenshots of your authorization policy and details of the conditions/results.