topic Could you please confirm the in Network Access Control

Cisco ISE Reports

msporleder — Mon, 11 Mar 2019 07:26:45 GMT

Hello everyone,

is there any possibility how to create a report in ISE (1.1.4.218 or 1.4.0.253) where I can display the the "Issuer - Common Name" of the client/user-certificate?

Thank you very much in advance!

Regards,
Manuel

Could you please confirm the

Gagandeep Singh — Wed, 08 Feb 2017 18:24:09 GMT

Could you please confirm the following :

1) Are you talking about CN to to be check during user authentication in ISE.

2) Looking for where endpoint-user certificate is present in ISE.

Regards

Gagan

Hello Gagan,

msporleder — Tue, 14 Feb 2017 13:54:14 GMT

Hello Gagan,

sorry for replying so late.

I am talking about the Common Name of the issuer of a client-certificate.
Like: This client-certificate was issued by CA ??? .

Regards
Manuel

Yes, ISE has the capability

Gagandeep Singh — Tue, 14 Feb 2017 16:23:58 GMT

Yes, ISE has the capability to fetch just the CN of the certificate and take it to AD for checking the user authentication.

Also there is a binary comparison of certificate received from client and match it with certificate present in AD.

Administration > Identity > External identity store > Certificate authentication profile.

Hope it answers you query!!!!

Regards

Gagan

PS : rate if it helps!!!!!

Hello Gagan,

msporleder — Wed, 15 Feb 2017 09:13:05 GMT

Hello Gagan,

I know that the ISE has all the informations. But I dont see any chance to create a custom report where I can filter for the CN of the client-certificate-issuer.

And this is what I would like to do.

Or to have a column in the live authentications where I can filter for that attribute.

What I did as a workaroung: I created many authorization-rules where I also ask for the attribute "CERTIFICATE:Issuer - Common Name" and then as the result I crated different authorization profiles (basically all with the same attribute details but with different names).

So now I can filter on the name of the authorization profiles...

But from my point of view this is not a good way to handle this.

Especially all the informations are in the systems database, only I can not create a report where I can ask for all attributes I'd like to.

Regards
Manuel

Hi Manuel,

Gagandeep Singh — Fri, 17 Feb 2017 03:09:19 GMT

Hi Manuel,

I know there is no option in live reports for specific search on CN. However if you open any live authentication for AD authentication. You'll find CN resolved identities in report.

Let me know of any queries on this...

Regards

Gagan

PS : rate if it helps!!!!!