topic Re: ISE 2.3 - Subject Alt Name or Calling-Station-ID case sensitive? in Network Access Control

ISE 2.3 - Subject Alt Name or Calling-Station-ID case sensitive?

Greg Gibbs — Thu, 10 Aug 2017 03:14:29 GMT

Hi team,

Has there been a change between ISE 2.0 and 2.3 in the case sensitivity of the Certificate:Subject Alternative Name and/or Radius:Calling-Station-ID attributes or the operators (EQUALS, MATCHES, CONTAINS)?

After upgrading from ISE 2.0 p4 to 2.3, the AuthZ policies based upon 'Certificate:Subject Alternative Name EQUALS Radius:Calling-Station-ID' are failing to hit.

I've tried using the EQUALS and MATCHES operators, but both fail. In the log details, these attributes are different cases.

Subject Alternative Name 00-DB-DF-58-64-A2

Calling Station Id 00-db-df-58-64-a2

If I change the Calling-Station-ID attribute to the string for the SAN (00-DB-DF-58-64-A2), the rule hits.

If I change the operator to CONTAINS, it also works.

Is this expected/known behaviour with ISE 2.3?

Re: ISE 2.3 - Subject Alt Name or Calling-Station-ID case sensitive?

hslai — Thu, 10 Aug 2017 04:01:18 GMT

Try creating a new authorization policy rule and see if that works.

CSCvf47170 is seen at a couple beta customers' setups.

Re: ISE 2.3 - Subject Alt Name or Calling-Station-ID case sensitive?

Greg Gibbs — Thu, 10 Aug 2017 04:12:57 GMT

Hi HS,

It does work if I create a new AuthZ rule, but does not if I duplicate the existing rule.

Is this likely to be part of the same bug listed above, or should I open a TAC case to have a new bug opened?

This issue will complicate any ISE upgrade if we have to recreate the rules.

Re: ISE 2.3 - Subject Alt Name or Calling-Station-ID case sensitive?

hslai — Thu, 10 Aug 2017 04:15:38 GMT

I will check with DE and see whether he needs debug logs from you.