topic Re: Using OUID for Authentication in Network Access Control

Using OUID for Authentication

s1nsp4wn — Fri, 16 Aug 2019 14:50:38 GMT

ISE 2.4 Patch 9

Is there a way (conditionally or otherwise) I can get ISE to match on object guid? We currently use EAP-TLS for wireless authentication, but I want it so not only do users have to have a client certificate provided by us, the guid on that cert must be used as an attribute that ISE will search AD for before allowing the person on the network. I've searched all the attributes and see plenty of issuer and subject-based attributes, but nothing specific to guid. The thought process is that usernames and emails can change, but a globally unique id won't ever change.

Re: Using OUID for Authentication

hslai — Wed, 21 Aug 2019 02:34:49 GMT

Requirements for domain controller certificates from a third-party CA shows to include the domain controller GUID in an other name entry of the subject alternative name. If so, you may condition on CERTIFICATE·Subject Alternative Name - Other Name

Re: Using OUID for Authentication

s1nsp4wn — Wed, 21 Aug 2019 15:22:15 GMT

So it sounds like I could match on the AD's guid, but what I'm trying to do is validate an eap-tls user based on possession of the client certificate AND somehow lining their guid up with finding them in AD as my external identity source. Currently it seems like AD is only searchable from an authorization perspective looking at my conditions.