Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE Cert profile - SAN vs Common Name

Hi 

 

I have got the following problem:

- Wireless Workstation authenticate using certificates and cert profile matches SAN

- recently added BYOD devices that wont work unless I use cert profile matching Common Name

 

Is there any way to split Wireless 802.1X rule in 2 halves so I can match:

- Wireless 802.1X and Workstations  -> Cert Profile would be using SAN

- Wireless 802.1X and Apple Devices -> Cert Profile would be using Common Name

 

So far I failed in my attempt to split Wireless 802.1X and ended up having to CONTINUE on Failed Authentication on Cert Profile matching Common Name + securing access on Authorization rules which is not ideal.

 

With this solution iPADs go through full authentication but Workstations hit that CONTINUE option as Common Name attribute is not found in Cert for them.

 

based on that link http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1382708

 

i should be able to use SAN for Windows workstations and Common Name seems only option for iPADs so should be able to split Authentication Rule somehow?

 

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

I have had a similar issue

I have had a similar issue before and got around it by creating a new store rule under authentication. The biggest sticking point is finding an attribute to use for differentiation purposes. If you are using the same SSID it makes it hard but the easiest differentiator I have found is WLAN ID or Radius Called-station ID. Basically make a rule for CN cert profile that matches on WLAN ID 1 and then make a rule for SAN cert profile that matches on WLAN ID 2. You maybe able to find other differentiators in your deployment but the options are limited in authentication versus authorisation.

 

2 REPLIES
New Member

I have had a similar issue

I have had a similar issue before and got around it by creating a new store rule under authentication. The biggest sticking point is finding an attribute to use for differentiation purposes. If you are using the same SSID it makes it hard but the easiest differentiator I have found is WLAN ID or Radius Called-station ID. Basically make a rule for CN cert profile that matches on WLAN ID 1 and then make a rule for SAN cert profile that matches on WLAN ID 2. You maybe able to find other differentiators in your deployment but the options are limited in authentication versus authorisation.

 

New Member

ThanksWe had to differentiate

Thanks

We had to differentiate between apple and microsoft workstations. We have found a way by matching om EAP tunnel EQUALS PEAP for workstations and Apple uses EAP-TLS from provisioned profile. As you suggested 2 stores on Authentication rule work that way... I am hoping in future profiling can be used at this stage to simply say - Apple Devices or Workstations.

70
Views
0
Helpful
2
Replies
CreatePlease to create content