topic Re: ISE in Azure question in Network Access Control

ISE in Azure question

smaseman — Wed, 28 Feb 2018 18:02:03 GMT

Hi Team,

I have one specific ISE question from my customer where I don’t find any answer. Would be great if you could help me on this. Thanks in advance:

We currently have the task to allow Azure AD Joined Clients into our WLAN. These do not receive a certificate from our internal CA, but from Azure.

However, the Azure certificate is generally valid for all Microsoft customers. There is a field which is customer specific and we would like to check this.

It appears in the certificate with an OID e. g. 1.2.5. xxxxxxxxxxxxxx and has a value that corresponds to our Azure instance.

Is it possible to read out a random OID? I couldn't find anything in the predefined conditions, with these you can only read standard fields.

Thanks in advance for your help,

Simon

Re: ISE in Azure question

hslai — Wed, 28 Feb 2018 18:38:09 GMT

This is not currently supported. Please discuss it with our PM team.

If possible, please provide more details or documentation links on how Azure certificates utilizing such random OID.

Re: ISE in Azure question

Craig Hyps — Thu, 01 Mar 2018 11:48:05 GMT

There has been some testing with Azure but as Hsing noted, solution is not fully vetted yet.

If saying that you do have auth working with EAPT-TLS, but unable to make policy decision based on cert attributes, then the answer provided on internal mailer is same. ISE can match conditions based on the following certificate dictionary:

These can be used to match on specific issuer, organization, user, etc.