Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
2
Replies

ISE Cert profile - SAN vs Common Name

Go to solution
wojtek.siodelski
Level 1
Level 1

‎03-25-2014 01:15 PM - edited ‎07-05-2021 12:32 AM

Hi 

 

I have got the following problem:

- Wireless Workstation authenticate using certificates and cert profile matches SAN

- recently added BYOD devices that wont work unless I use cert profile matching Common Name

 

Is there any way to split Wireless 802.1X rule in 2 halves so I can match:

- Wireless 802.1X and Workstations  -> Cert Profile would be using SAN

- Wireless 802.1X and Apple Devices -> Cert Profile would be using Common Name

 

So far I failed in my attempt to split Wireless 802.1X and ended up having to CONTINUE on Failed Authentication on Cert Profile matching Common Name + securing access on Authorization rules which is not ideal.

 

With this solution iPADs go through full authentication but Workstations hit that CONTINUE option as Common Name attribute is not found in Cert for them.

 

based on that link http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1382708

 

i should be able to use SAN for Windows workstations and Common Name seems only option for iPADs so should be able to split Authentication Rule somehow?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Stephen McBride
Level 1
Level 1

‎03-27-2014 06:24 PM

I have had a similar issue before and got around it by creating a new store rule under authentication. The biggest sticking point is finding an attribute to use for differentiation purposes. If you are using the same SSID it makes it hard but the easiest differentiator I have found is WLAN ID or Radius Called-station ID. Basically make a rule for CN cert profile that matches on WLAN ID 1 and then make a rule for SAN cert profile that matches on WLAN ID 2. You maybe able to find other differentiators in your deployment but the options are limited in authentication versus authorisation.

 

View solution in original post

Preview file
9 KB
0 Helpful
2 Replies 2

Go to solution
Stephen McBride
Level 1
Level 1

‎03-27-2014 06:24 PM

I have had a similar issue before and got around it by creating a new store rule under authentication. The biggest sticking point is finding an attribute to use for differentiation purposes. If you are using the same SSID it makes it hard but the easiest differentiator I have found is WLAN ID or Radius Called-station ID. Basically make a rule for CN cert profile that matches on WLAN ID 1 and then make a rule for SAN cert profile that matches on WLAN ID 2. You maybe able to find other differentiators in your deployment but the options are limited in authentication versus authorisation.

 

Preview file
9 KB
0 Helpful

Go to solution
wojtek.siodelski
Level 1
Level 1
In response to Stephen McBride

‎03-28-2014 01:17 AM

Thanks

We had to differentiate between apple and microsoft workstations. We have found a way by matching om EAP tunnel EQUALS PEAP for workstations and Apple uses EAP-TLS from provisioned profile. As you suggested 2 stores on Authentication rule work that way... I am hoping in future profiling can be used at this stage to simply say - Apple Devices or Workstations.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card