03-25-2014 01:15 PM - edited 07-05-2021 12:32 AM
Hi
I have got the following problem:
- Wireless Workstation authenticate using certificates and cert profile matches SAN
- recently added BYOD devices that wont work unless I use cert profile matching Common Name
Is there any way to split Wireless 802.1X rule in 2 halves so I can match:
- Wireless 802.1X and Workstations -> Cert Profile would be using SAN
- Wireless 802.1X and Apple Devices -> Cert Profile would be using Common Name
So far I failed in my attempt to split Wireless 802.1X and ended up having to CONTINUE on Failed Authentication on Cert Profile matching Common Name + securing access on Authorization rules which is not ideal.
With this solution iPADs go through full authentication but Workstations hit that CONTINUE option as Common Name attribute is not found in Cert for them.
based on that link http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1382708
i should be able to use SAN for Windows workstations and Common Name seems only option for iPADs so should be able to split Authentication Rule somehow?
Solved! Go to Solution.
03-27-2014 06:24 PM
I have had a similar issue before and got around it by creating a new store rule under authentication. The biggest sticking point is finding an attribute to use for differentiation purposes. If you are using the same SSID it makes it hard but the easiest differentiator I have found is WLAN ID or Radius Called-station ID. Basically make a rule for CN cert profile that matches on WLAN ID 1 and then make a rule for SAN cert profile that matches on WLAN ID 2. You maybe able to find other differentiators in your deployment but the options are limited in authentication versus authorisation.
03-27-2014 06:24 PM
I have had a similar issue before and got around it by creating a new store rule under authentication. The biggest sticking point is finding an attribute to use for differentiation purposes. If you are using the same SSID it makes it hard but the easiest differentiator I have found is WLAN ID or Radius Called-station ID. Basically make a rule for CN cert profile that matches on WLAN ID 1 and then make a rule for SAN cert profile that matches on WLAN ID 2. You maybe able to find other differentiators in your deployment but the options are limited in authentication versus authorisation.
03-28-2014 01:17 AM
Thanks
We had to differentiate between apple and microsoft workstations. We have found a way by matching om EAP tunnel EQUALS PEAP for workstations and Apple uses EAP-TLS from provisioned profile. As you suggested 2 stores on Authentication rule work that way... I am hoping in future profiling can be used at this stage to simply say - Apple Devices or Workstations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide